The Internet Storm Center and other security firms are warning the Upatre Botnet.  The initial approach in infecting users is through massive spam attacks.  During the infection process, it will drop Dyre on the user’s machine.  Dyre is a bank information stealer threat that hides in a stealth-like manner and has capability to pattern match and potentially intercept bank account credentials.

https://isc.sans.edu/forums/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657/

Malicious spam (malspam) delivering Upatre/Dyre has been an ongoing issue for quite some time.  Upatre is the malware downloader that retrieves Dyre (Dyreza), an information stealer described as a “Zeus-like banking Trojan”.  Earlier this year, EmergingThreats reported Upatre and Dyre are under constant development, while SecureWorks told us banking botnets continue to deliver this malspam despite previous takedowns.

Botnets sending waves of malspam with Upatre as zip file attachments are a near-daily occurrence.  Most organizations won’t see these emails, because the messages are almost always blocked by spam filters. Because security researchers find Upatre/Dyre malspam nearly every day, it’s a bit tiresome to write about, and we sometimes gloss over the information when it comes our way.  After all, the malspam is being blocked, right? Nonetheless, we should continue to document some waves of Upatre/Dyre malspam to see if anything is changing or evolving.

ADDITIONAL LINKS LISTED BELOW

https://www.us-cert.gov/ncas/alerts/TA14-300A
http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
http://securityintelligence.com/dyre-wolf/
http://www.networkworld.com/article/2878966/microsoft-subnet/dyre-banking-trojan-tweaked-to-spread-upatre-malware-via-microsoft-outlook.html
http://www.emergingthreats.net/about-us/blog/dyre-upatre-constant-development
http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
https://major.io/icanhazip-com-faq