OFFICIAL SECURITY BLOG

Fake Facebook Notification Emails Lead to Upatre Malware

April 2, 2014 | BY

Watch out for spam messages in circulation bearing the message “Some men commented on your status”, because a more accurate description might be “Some men sent you Malware”.

Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:

facebook spam

“Hello,

Some men commented on your status.

Mikle wrote: “so cute ;)”

The clickable link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:

pdf?

The spammers are making use of the Windows feature which hides extensions of common file types. The reason for this is to many people, a PDF is just a PDF and nothing to really worry about. It’s a trick as old as the hills, but unfortunately it still catches end-users out. You’d most typically see it where a spammer sends their intended victim what appears to be an image file, but really it’s a disguised .exe just waiting to be double clicked and activated on the target machine.

Time to untick the “hide extensions for known file types” box:

Change it up

What do we have now? This:

fbspam4

As you can see, the so-called PDF is actually an .scr file, commonly used in Malware campaigns. We’ve seen a  number of these in circulation recently, including a fake fax spamrun at the end of March.

As for the Malware itself, the VirusTotal score is currently pegged at 23 / 51, a Malwr analysis can be seen here and users of Malwarebytes Anti-Malware will find we detect it as Trojan.Downloader.Upatre.

Upatre is well-known for email campaigns and downloading additional malware on a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware.

Put simply, running this file and others like it is signing your PC up to a Lucky Dip of Malware.

Well, maybe not so lucky…

Christopher Boyd (Thanks to Steven for sending this over)


  • https://www.facebook.com/LaFroggie Kathi Beck

    This may not be the correct place to leave this comment but this is the ONLY place I could find to comment! I have used Malwarebytes for 4 years along side of my SwagBucks programs and have NEVER had an interaction between the two until this year. This year Malwarebytes keeps telling me that ALL my SwagBucks programs are infected and deletes them! Can one of you authors please tell me what is going on???? I really am tired of putting my SwagBucks Toolbar back after running my Malwarebytes program to keep my pc clean! Expecally when I know that SwagBucks, after 4 years, is not just now infecting my pc. I really love my Malwarebytes program and do not want to delete it but……. Please just help me!

  • Matthew Roslevich

    It isn’t “infecting” your PC, per say.. It’s considered a browser hijacker because it changes settings without (or possibly with…) your knowledge. When you install the SB toolbar, it changes DNS settings, changes your default homepage, and can also automatically install other, more threatening things.

    http://botcrawl.com/how-to-remove-the-swagbucks-virus/

    So, MalwareBytes is operating correctly, as the toolbar, while not really “malicious”, changes settings and shows third party ads while have been known to cause malware..

  • https://www.facebook.com/turboaaa Michael Mast

    Kathi Beck,

    Get rid of Swag Bucks now! Anything that reroutes your web traffic is bad. Ads are bad too. They are sending code from people who pay them. They could send ANY code and not just ads if their lazy. So go to your banking site, they overlay it with ads, and one of them injects a keyloggers. I’m always getting calls to remove the stuff off computers along with a wide range of other hijacks.

    That being said you can add it to the ignore list and Malwarebytes won’t touch it. It flags my YouTube downloaded because the free version bundles hijacks (spigot) but I know how to install it without the hijacks. Its in my ignore list and everything is working properly.