New Attach-ception Style Malware Found in the Wild

This week, TrendMicro posted a blog which claimed they had stumbled across a new breed of malware distribution which attempts to duck standard scanning services by burying their program two layers deep.

Instead of creating fake attachments that contain malware on their own, this new variant on the old attack vector decides to go one step further, wrapping their dastardly data in a seemingly innocuous package that is capable of duping most popular email scanning programs including those offered by Gmail and Yahoo.

By impersonating emails from popular banks such as Chase and Wells Fargo, the Upatre Trojan is capable of spamming messages to tens of thousands of people at once, only requiring a one percent clickback rate to prove its profitability to cybercrooks around the globe.


Photo: TrendMicro

On top of everything is a .MSG file which looks innocent enough, but contains another .MSG file within, attached to the virus or malware which is hidden inside another .ZIP archive folded into the creamy center of each attachment.

The Upatre Trojan isn’t all you’ll have to worry about either, with variants of ZeuS(ZBot) and Cryptolocker both utilizing the relatively fresh tactic in order to weasel their way into as many different machines as possible.

Necurs is another treacherous little bug that likes to pair itself up with Upatre, with one acting as the penetration pickaxe, while the other works to quickly disable any security software or firewalls that might try to prevent it from setting up shop and proliferating into the larger cast of botnets.

“The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages.”

At the end of the day most scanners aren’t equipped to handle this new type of virus camouflage, but as it continues to grow into a larger problem for more victims, it won’t take more than a couple lines of code to stop this sort of threat cold in its tracks.