Experts have reported a new variant of the Upatre malware that has been spotted in the past week. The new version is more sophisticated and uses encrypted communication with the C&C-serveren.
Earlier, the threat relied on HTTP traffic using non-standard ports to send information from the affected PC to the remote server, which made blocking the malware’s activity possible.
Upatre with a New User-Agent
Researchers from Cisco’s security intelligence group Talos were the first to notice the new variant. Velig, one of the malware’s modifications uses icanhazip.com instead of checkip.dyndns to recognize the target’s IP address.
Upatre also has a new mechanism to avoid detection – the threat communicates with the C&C server via a new user-agent that appears like a legitimate one and can barely be associated with malicious traffic.
Encrypted Communication with the C&C Server
The new Upatre malware uses Secure Sockets Layer (SSL) cryptographic protocol to cover what kind of information is being exchanged between the affected machine and the command and control server.
Cisco researchers note that although the malware “has always had a small SSL component”, this is the first time experts observe a full switch to SSL for the communication process. The single piece of non-encrypted communication is the process of identifying the IP address. As soon as this task is completed, the traffic gets fully encrypted.
A large part of the previous Upatre variants were distributed to the targeted machine as a PDF file that is an executable. Once the victim launches it, the threat would download an Adobe document to present to the PC user.
The last Upatre version does not rely on this distribution technique anymore. Instead, the payload is being downloaded in the background.
The changes observed by the experts point out that a threat that has been considered easy to block can transform into an advanced piece of malware that is able to avoid detection as soon as it infects the system and hide the traffic to the C&C-serveren.