Dear all This is Upatre downloading Dyre, a banking trojan. The Dyre here is part of a campaign "UK21" targeting several hundred banks worldwide.
Upatre is a specialized downloader, bypassing all AV engines around for a couple of hours. It does download Dyre and shows a decoy pdf to the user. After AV catches up, Upatre will change its structure to bypass detection again. So, what can you do? Blocking some file extensions of email attachment at the perimeter, however, this can easily circumvented by the adversaries, and, of course, build user awareness. On the network side, blocking outgoing SMTP (also a good measure to detect infected client machines) and spam filtering outgoing mails on your MTAs may be effective measures. Kind regards, Slavo On 16.04.15 17:07, Mike Kellenberger wrote: > Thanks for the tip, Steven. > > https://www.virustotal.com/en/file/6159e15c7a5401ba8e7708755b75ce5bb911cb1dbe15253c13a06b4c0f35e5e3/analysis/1429196664/ > > > Kaspersky should detect it now - time to force a definition update... > > Regards, > > Mike > -- SWITCH Slavo Greminger, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 15 45 [email protected], http://www.switch.ch Security-Blog: http://securityblog.switch.ch _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
