“Tyranny of the Police” Email Delivers Upatre Trojan

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A malicious email is currently hitting the inboxes claiming to be delivered by the Deans & Lyons law firm and to inform recipients of new abuses committed by the police following the Ferguson incidents.

The message contains a link that appears to lead to a page on CNN, although the domain name should be enough of a clue to stay clear.

According to Belgium-based MX Lab, a company providing solutions against email threats, accessing the URL downloads a ZIP archive containing a file with a double extension (BreakingNews_pdf_exe). It is a variant of the Upatre Trojan that is generally used to get different malware pieces onto the affected computer.
Threat has five Dutch PE language resources
In order to get the recipient to click on the link, the crooks claim that it is a report made by the law firm about the situation in Ferguson, Missouri. The multiple grammar mistakes in the body of the message should raise suspicions to the recipient.

An analysis of the malicious file on Friday showed that only three out of 54 antivirus engines on VirusTotal were able to identify the threat. However, as of this writing, the detection has increased and 19 products label the item as malicious.

The report on VirusTotal states that there are six PE resources available, five of them being Dutch and one being English.

A commenter on the scanner’s website says that the threat funnels in a version of Dyreza, also known as Dyre. It is a Trojan used for stealing banking information, which has been used against numerous financial institutions in European countries, Switzerland in particular.

It has also been observed to target customers of Salesforce cloud-based CRM provider, and to steal credentials for Bitcoin trading websites.
Malicious page is no longer active
MX Labs reports that, when the download completes, the URL redirects to a legitimate CNN page offering more details about the Ferguson incidents.

The domain hosting the malicious file has been suspended, and at the moment the risk of getting malware from that address no longer exists. However, cybercriminals may register a new domain for the campaign and keep on sending the deceitful emails.

The malware appears to be distributed under multiple names, including “ybwbh.exe” and “file-7765943_exe,” which suggests that it is distributed through multiple email campaigns.

Malicious email campaigns are particularly frequent and aggressive during the holiday season. Users are advised to refrain from accessing links in suspicious messages and to first verify the information.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top