#Upatre & 'RSA encrypted' documents

Upatre has an identity crisis, it thinks it's an RSA encrypted document.


Arriving in the form of seemingly 'signed' RSA document and branded with the RSA logo, this very clever change of tactic from the team behind the Upatre/Dyre campaigns have attempted to use what would probably fool the most observant of people.

The junk displayed isn't an RSA key, its just part of a macro which is part of the TTP associated with this particular campaign, whilst it's not a new style. It's certainly very clever.

The strings are visible with the fake key being shown here.

The Dyre/Upatre combination is something that has been used & abused by the same threat actors for sometime, this change of tactic by moving on from the regular spam such as invoices and remittance advice, to something which has a genuine attempt at obscuring its payload shows the constant development that Upatre is undergoing.

Here are some of the proxies in use by the botnet


@techhelplist has been doing some work on identifying these routers and has a tracker on his site

Also, Proofpoint have identified this change.