Upatre used for political spam campaign

March 19, 2015

The Dell Sonicwall Threat research team have observed a variant of the Upatre Trojan that is used for political spam. In this case the Trojan is used for an anti-drone campaign, urging victims to stand up to the U.S Government against the use of drones in war.

Infection Cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Once infected, the Trojan causes the following PDF file to be displayed on the users desktop:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempNltgLr.exe [Detected as GAV: Upatre.YYSH (Trojan)]
  • %USERPROFILE%Local SettingsTempOIgjpLdRXtPDrik.exe [Detected as GAV: Battdil.O (Trojan)]
  • %USERPROFILE%Local SettingsTemptemp15.pdf
  • %USERPROFILE%Local SettingsTemptmpB0ED.txt (encrypted file)
  • %SYSTEM32%configsystemprofileApplication Datanr9bqe8cb6.dll (encrypted file)

The Trojan makes the following DNS queries:


The Trojan obtains the external IP address of the infected system from DynDNS and reports the infection to a remote webserver. It uses the Mazilla/5.0 user agent string that is typical of malware from this family:

It leaks information about the currently logged in user and the version of Windows running:

The Trojan downloads the PDF file to be displayed in encrypted form:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Upatre.YYSH (Trojan)
  • GAV: Battdil.O (Trojan)