It looks like the Upatre downloader malware has added a new tool that takes advantage of PCs that are missing Windows Update patches from last fall (well, last Northern Hemisphere fall). In the past few weeks, newer versions of the Upatre malware can silently elevate their payload (the closely-coupled Dyre/Dyreza banking malware) to run as full admin. These newer versions are using a vulnerability that Microsoft patched in October; however if a PC is not patched, even non-admin users tricked into running Upatre can have the malware elevated to SYSTEM.
Upatre continues to incorporate the AppCompat UAC bypass technique when it is run from an admin account with a split token, but the addition of this exploit when running as a non-admin account gives the malware a better chance to gain full admin rights and privileges in either case.
The non-admin infection looks a little different on a 64-bit system versus a 32-bit system. On the latter, the Upatre binary incorporates the exploit directly in its own, 32-bit image and runs it directly. On the former, the Upatre binary drops a 64-bit helper program in the local, “working” directory; in the samples I looked at the dropped file was named winlogon.exe. Upatre then launches the 64-bit program with itself as the command-line parameter. The helper program then exploits the vulnerability on 64-bit systems to escalate the main Upatre binary to run as SYSTEM. (As before, these screenshots are from SysInternals’ Process Monitor.)
One important note is that this new privilege escalation exploit for non-admin infections is not being attempted on the 64-bit version of Windows 8.1 (the more popular install), only on Windows 7. (Vista usage being what it is and XP being out of support.)
I did not see the exploit succeed in a quick test on the public Windows 10 Technical Preview (Build 9926), which is not definitive but makes some sense given it was released after the October patch. As a fallback, Upatre will “install” Dyreza in the non-admin account if the privilege escalation attempts don’t work; however, this is more susceptible antivirus programs when the signatures finally catch up.
Looking at the winlogon.exe file (MD5 hash of EAE4B4B4A97E00D3FFDF0291F6CD637A), it was first submitted to VirusTotal very late on February 5th (Universal Time), which may give a ballpark estimate of how long this feature has been running “in the wild.” As of the last submission to VirusTotal on February 24th, only 9/57 scanning engines are specifically flagging it as bad:
The patch that Microsoft released in October was associated with security bulletin MS14-058. The bulletin includes links to manually download the patch based on the different versions of Windows:
That patch was then superseded by the patch associated with security bulletin MS14-079 released the next month in November:
For reference, here are links to the two Upatre samples on VirusTotal: