UPAS Kit

The UPAS Kit is a backdoor Trojan and Trojan downloader that can infect 32-bit and 64-bit Windows environments for running other threats. Its core unit may spread through removable devices by modifying link files, and its modules include support for spyware features that can collect information. This Trojan is a high-level threat, and users always should leave removing the UPAS Kit to a suitable anti-malware program.

A Quick-and-Easy Kit for Dropping More Problems

The UPAS Kit is yet another delivery method for helping other threats compromise a Windows computer, although it has a more storied past than most, with potential connections to security researcher Marcus Hutchins. While the UPAS Kit's creation by the same man who discovered the WannaCry killswitch is not fully verified, much of its similarities to the banking Trojan, Kronos, are unmistakable. A close look into its capabilities reveals a program with an intricate design and, in some instances, pseudo-unique properties.

The UPAS Kit, predominantly, is a Trojan downloader, along with acting as a backdoor Trojan giving criminals control over the PC. Some of its modules, though still unexamined by malware experts, imply attacks such as form-grabbing (collecting passwords, etc., from form fields), UDP flooding, breaking into FTP accounts, and, of course, loading and launching other Trojans. It includes a rootkit-level permissions exploit in some installations, which malware experts see in the lower levels of threats in this category rarely.

One of the UPAS Kit's more compelling traits is its installation routine, which can adapt itself to 32-bit or 64-bit environments, instead of being locked to one or the other. Even more uncommonly, the different build exhibits significantly different structures for persistence. The 32-bit version injects itself into all running processes, while the second build has less injection activity and omits an uninstall check for uncertain reasons. The highlighting factor is the amount of work put into distinguishing the two versions functionally, even if one is stripped-down.

Counteracting Trojans that Multiply

The UPAS Kit's estimated author is undergoing legal proceedings, but users should assume that it, or a variant Trojan built from it, is capable of causing harm. Like much less luminous Trojans, the UPAS Kit's history includes being sold to third parties on Russian Black Hat forums, which raises various possibilities about its future deployment and abuse. Additionally, as a Trojan downloader, it can by definition endanger your PC by dropping more threats whose attacks aren't as narrowly-defined as the UPAS Kit's modules.

In specific scenarios involving anti-VM detection, the UPAS Kit may display an error message, but victims shouldn't depend on this symptom, which mostly is relevant to the cyber-security industry's research hardware. However, it does emphasize the theoretical value of Virtual Machine environments, even for average users, who can benefit from the protection it provides against different threats. As always, keep updated anti-malware solutions for removing any UPAS Kit infection quickly and take precautions afterward for re-securing accounts that its attacks could have compromised.

The UPAS Kit uses a seamless way of spreading through USB devices by editing links into launching both the intended content and the Trojan. As one of a series of examples about how one 'small' Trojan can grow out of control, it's a good topic for remembering the importance of having suitably conservative network security standards.