Fake Facebook Notification Emails Lead to Upatre Malware
Watch out for spam messages in circulation bearing the message “Some men commented on your status”, because a more accurate description might be “Some men sent you Malware”.
Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:
Some men commented on your status.
Mikle wrote: “so cute ;)”
The clickable link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:
The spammers are making use of the Windows feature which hides extensions of common file types. The reason for this is to many people, a PDF is just a PDF and nothing to really worry about. It’s a trick as old as the hills, but unfortunately it still catches end-users out. You’d most typically see it where a spammer sends their intended victim what appears to be an image file, but really it’s a disguised .exe just waiting to be double clicked and activated on the target machine.
Time to untick the “hide extensions for known file types” box:
What do we have now? This:
As you can see, the so-called PDF is actually an .scr file, commonly used in Malware campaigns. We’ve seen a number of these in circulation recently, including a fake fax spamrun at the end of March.
As for the Malware itself, the VirusTotal score is currently pegged at 23 / 51, a Malwr analysis can be seen here and users of Malwarebytes Anti-Malware will find we detect it as Trojan.Downloader.Upatre.
Upatre is well-known for email campaigns and downloading additional malware on a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware.
Put simply, running this file and others like it is signing your PC up to a Lucky Dip of Malware.
Well, maybe not so lucky…
Christopher Boyd (Thanks to Steven for sending this over)