Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Tuesday, May 5th 2015

Upatre/Dyre - the daily grind of botnet-based malspam

Published: 2015-05-05
Last Updated: 2015-05-05 00:15:30 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Malicious spam (malspam) delivering Upatre/Dyre has been an ongoing issue for quite some time.  Many organizations have posted articles about this malware.  I've read good information on Dyre last year [1, 2] and this year [3]. 

Upatre is the malware downloader that retrieves Dyre (Dyreza), an information stealer described as a "Zeus-like banking Trojan" [4].  Earlier this year, EmergingThreats reported Upatre and Dyre are under constant development [5], while SecureWorks told us banking botnets continue to deliver this malspam despite previous takedowns [6].

Botnets sending waves of malspam with Upatre as zip file attachments are a near-daily occurrence.  Most organizations won't see these emails, because the messages are almost always blocked by spam filters.

Because security researchers find Upatre/Dyre malspam nearly every day, it's a bit tiresome to write about, and we sometimes gloss over the information when it comes our way.  After all, the malspam is being blocked, right?

Nonetheless, we should continue to document some waves of Upatre/Dyre malspam to see if anything is changing or evolving.

Here's one wave we found after searching through our blocked spam filters at Rackspace within the past 24 hours:

  • Start date/time:  2015-05-04 13:48 UTC
  • End date/time:  2015-05-04 16:40 UTC
  • Timespan:  2 hours and 52 minutes
  • Number of emails:  212

We searched for subject lines starting with the word "Holded" and found 31 different subjects:

  • Holded account alert 
  • Holded account caution 
  • Holded account message 
  • Holded account notification 
  • Holded account report 
  • Holded account warning 
  • Holded bank operation alert 
  • Holded bank operation caution 
  • Holded bank operation message 
  • Holded bank operation notification 
  • Holded bank operation report 
  • Holded bank operation warning 
  • Holded operation alert 
  • Holded operation caution 
  • Holded operation message 
  • Holded operation notification 
  • Holded operation report 
  • Holded operation warning 
  • Holded payment alert 
  • Holded payment caution 
  • Holded payment message 
  • Holded payment notification 
  • Holded payment report 
  • Holded payment warning 
  • Holded transaction alert 
  • Holded transaction caution 
  • Holded transaction message 
  • Holded transaction notification 
  • Holded transaction report 
  • Holded transaction warning

The 212 messages had different attachments.  Here's a small sampling of the different file names:


Emails sent by this botnet came from different IP addresses before they hit our mail servers.  Senders and message ID headers were all spoofed.  Each of the email headers show the same Google IP address spoofed as the previous sender.  In the images below, the source IP address--right before the message hit our email servers--is outlined in red.  The spoofed Google IP address is highlighted in blue.  The only true items are the IP addresses before these emails hit our mail servers.  Everything else is cannot be verified and can be considered fake.

This wave sent dozens of different attachment names with hundreds of different file hashes.  I took a random sample and infected a host to generate some traffic.  This Dyre malware is VM-aware, so I had to use a physical host for the infection traffic.  It shows the usual Upatre URLs, Dyre SSL certs and STUN traffic we've seen beffore with Upatre/Dyre.

Shown above: Filtered Wireshark display of the pcap showing the infection traffic.

Shown above: EmergingThreats-based Snort events on the infection traffic using Security Onion.

Of note, is a service run by one of my fellow Rackspace employees [7].  By itself, it's not malicious. is merely a free service that reports your host's IP address.  Unfortunately, malware authors use this and similar services to check an infected computer's IP address.  Because of that, you'll often find alerts that report any traffic to these domains as an indicator of compromise (IOC).

The Upatre HTTP GET requests didn't return anything.  Apparently, the follow-up Dyre malware was downloaded over one of the SSL connections.  Here's what I grabbed off the infected host:

Dyre first saved to:  C:\Users\username\AppData\Local\Temp\vwlsrAgtqYXVcRW.exe
Dyre was then moved to:  C:\Windows\vwlsrAgtqYXVcRW.exe

Registry keys for persistence:

Key name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\googleupdate
Key name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\googleupdate
Value name: ImagePath
Value type: REG_EXPAND_SZ
Value data: C:\Windows\vwlsrAgtqYXVcRW.exe

A pcap of the infection traffic is available at:

A zip file of the associated Upatre/Dyre sample is available at:

The zip file is password-protected with the standard password.  If you don't know it, email and ask.

Final words

It's a daily grind reviewing this information, and most security professionals have higher priority issues to deal with.  However, if we don't periodically review these waves of Upatre/Dyre, our front-line analysts and other security personnel might not recognize the traffic and may miss the IOCs.

Brad Duncan, Security Researcher at Rackspace
Blog: - Twitter: @malware_traffic



0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Traffic pattern change noted in Fiesta exploit kit
1 day ago by Brad Duncan (0 comments)

VolDiff, for memory image differential analysis
2 days ago by Russ McRee (0 comments)

Massive malware spam campain to corporate domains in Colombia
3 days ago by Manuel Humberto Santander Pelaacuteez (6 comments)

Dalexis/CTB-Locker malspam campaign
5 days ago by Brad Duncan (1 comment)

UDP/3478 to Amazon -- got packets? (solved)
5 days ago by Daniel (2 comments)

Scammy Nepal earthquake donation requests
6 days ago by Daniel (1 comment)

Actor using Fiesta exploit kit
1 week ago by Brad Duncan (2 comments)

View All Diaries →

Latest Discussions

Dridex seen spoofing referer from social media and search engine sites such as facebook, twitter,google, msn, bing
created 4 days ago by Mostropi (1 reply)

No patch for remote code-execution bug in D-Link and Trendnet routers
created 5 days ago by Brad Duncan (0 replies)

Need help with Framing and masking
created 1 week ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 2 weeks ago by Telserv (1 reply)

Disruption of Simda botnet
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →