Our ‘BlackBerry Cylance Versus’ series takes an in-depth look at malware from A to Z, from past to present. Our goal is to reveal how and why threats that may have been active for years still work, and what we, as a security community, can do to combat them.
Upatre, first seen in the wild August 2013, reached its zenith in 2015. While it has declined in popularity since then, it remains a viable threat to organizations today. Upatre uses two encryption routines to protect its payload. The first routine is XOR and ROL encryption. The second routine is RC4 encryption.
Uparte usually spreads through spam emails containing infected file attachments. These emails often pose as invoices or voicemail message notices. This malware can also be encountered through attached password-protected archives or installed drive-by through infected website links. Uparte sometimes uses the icon of a legitimate file type (figure 1):
Figure 1: The PDF icon is a decoy
When Upatre executes it drops a copy of itself on the local system and downloads malicious files to %temp%\[randomfilename].exe.
Once active, Upatre can steal information and download additional malware like:
Upatre is protected by two encryption routines, XOR/ROL, and RC4. Both the protector and payload use the same obfuscation method (shifting letters, figure 2), which may indicate they were written by the same person:
Figure 2: Shifting letter obfuscation
Upatre checks the “SizeOfCode” before unpacking. If the result not 768, or larger than 131581, the unpacking process is skipped, and the process will crash (Figure 3):
Figure 3: Size of code check
The start of the packed region is pointed to by ESI which was set to off_405200 by the entry point (figure 4):
Figure 4: ESI pointing to PE header
The unpacking routine starts by calculating the size of the packed region (Figure 5):
Figure 5: The first unpacking routine
The first unpacking routine ends with a return to the decrypted area. The next unpacking routine uses RC4 and manually resolves API addresses:
Figure 6: Second unpacking routine.
After kernel32 [DB4] [YI5] is loaded and the current EIP modified, the entry point is set to 127AH (the location of original entry point). This information will be over written later (Figure 7):
Figure 7: Entry point set
Next, Upatre imports the following APIs (Figure 8):
Figure 8: Importing APIs
The malware will overwrite a large part of the loaded code then save the rest by copying it to a newly allocated space. Upatre cleans the current image by zeroing out the mem from the image base before the payload is unpacked. The malware payload is then unpacked (figure 9):
Figure 9: Payload unpacking routine
After the payload is unpacked Upatre decrypts network strings used for downloading additional malware. Downloaded files are stored in a temp file path (figures 10 and 11):
Figure 10: Upatre decrypts network strings for downloading malicious files
Figure 11: Upatre acquires a temp path for storing malicious files
The Upatre encryption and obfuscation routines were created to evade traditional signature-based anti-virus products (this does not affect CylancePROTECT®). This makes the malware a threat to modern systems relying on signature-based security measures. Upatre lacks its own persistence mechanism but can downloading additional malware to establish both persistence and additional malicious functionality.
While Upatre may continue to evolve over time, it never stops looking like a threat to our advanced AI-trained security solution. Blackberry Cylance, which offers a predictive advantage over zero-day threats, is also effective against legacy malware like Upatre. This allows BlackBerry Cylance to spot a threat based on countless file attributes instead of a specific file signature. BlackBerry Cylance detects and prevents Upatre and its numerous variations before they can execute.