High
In June 2018, researchers found the UPAS Kit, a malicious programme connected to the Kronos Banking Trojan. The UPAS Kit has a history of usage in spam campaigns and can be discovered on malicious USB drives. The threat actors behind the UPAS Kit use it to cover up the presence of other malware, spread spyware, and install banking Trojans in place. Anti-VM (Anti Virtual Machine) functionalities of the malware are known to be supported in order to thwart examination in test environments. The UPAS Kit can download payloads, run programs, and propagate to local network machines. The UPAS Kit malware spreads to other systems through infected USB drives. When a USB stick is put into a new device, the UPAS Kit malware overwrites the ‘autorun.inf file, which executes a secret EXE program. UPAS Kit performs various similar tasks in order to be persistent. It first transfers itself to the % APPDATA % directory, labelled ‘Microsoft,’ as well as the % TEMP % directory. The duplicated file’s name will be the first seven characters of the global mutex name stated above for % APPDATA %, and the same for % TEMP %, but with “_l.exe” and “_a.exe” appended to it. The current file name will be compared to the newly produced name, and if the two do not match, the malware will be run from the new path. If the check is successful, the current file path is saved to the registry run-keys Software\Microsoft\Windows\CurrentVersion\Run. The virus will then return to the main function after determining the current system architecture using the function IsWow64Process, or GetNativeSystemInfo if the former is not accessible. The removal of this malware can be difficult, since it injects itself into a legitimate process. Therefore, security scans and patching is necessary along with the other remediations.