- Apr 25, 2013
- 5,355
A recent version of the Dyre banking Trojan, delivered via phishing, has been seen to integrate communication through the I2P anonymization network.
Researchers have tried to interact with the I2P node found in the malware sample but no response was received.
Phishing message points to malware dropper
The “voice notification” theme is currently used in emails to trick unsuspecting users into downloading a malware dropper on the system, which later funnels in the Dyre banking Trojan.
Different subject lines are available for the message, which suggests that the cybercriminals automate the process of sending the emails and have integrated a mechanism to avoid detection.
The emails offer a link that claims to take the victim to the voice message, but instead a ZIP archive is downloaded, which carries the Upatre malware dropper. Once launched, the dropper adds Dyre, also known as Dyreza.
Ronnie Tokazowski from PhishMe reports that the code on the download page for the Trojan contains a counter for the number of visits. The researcher says that, at the moment of the analysis, the page had recorded about 10,000 visitors.
These are not unique, Tokazowski says, as the counter would increase by one at each refresh of the page. As such, the number of users that actually received the malware dropper is very likely to be lower; moreover, some of them may have realized the deceit and stopped from executing the file inside the archive.
I2P address found during malware analysis
However, in the unfortunate case that Dyre is installed on the system, it will inject into the topmost svchost.exe process. One interesting finding made by Tokazowski is the addition of an I2P address, which is a service that offers a network layer for anonymous communication.
All the traffic is encrypted end-to-end and there are four layers of encryption when sending messages. As such, it is believed that the I2P service is used for alternative communication means and to make detection and analysis more difficult.
Tokazowski says that even if the content of the traffic is unknown, communication over the I2P network can be prevented by discarding the traffic at the top-domain level. By doing this, the researchers can stop data interception from the victimized computer.
Banking Trojan uses multiple distribution methods
Dyre popped up on the scanners in the security industry in mid-June, and it has been observed that it relies on multiple distribution channels.
The most popular remains Upatre, which generally reaches the victim through phishing attacks, one of the latest being through an email with the subject “Tyranny of the Police,” referencing the Ferguson incidents; but it can also reach the victim through drive-by download attacks.
Dyre’s purpose is purely financial, as it interposes between the client and the bank in order to intercept sensitive communication without the knowledge of either party. Since it emerged, the malware has been updated with an extended list of targets, which also included bitcoin trading websites.
Researchers have tried to interact with the I2P node found in the malware sample but no response was received.
Phishing message points to malware dropper
The “voice notification” theme is currently used in emails to trick unsuspecting users into downloading a malware dropper on the system, which later funnels in the Dyre banking Trojan.
Different subject lines are available for the message, which suggests that the cybercriminals automate the process of sending the emails and have integrated a mechanism to avoid detection.
The emails offer a link that claims to take the victim to the voice message, but instead a ZIP archive is downloaded, which carries the Upatre malware dropper. Once launched, the dropper adds Dyre, also known as Dyreza.
Ronnie Tokazowski from PhishMe reports that the code on the download page for the Trojan contains a counter for the number of visits. The researcher says that, at the moment of the analysis, the page had recorded about 10,000 visitors.
These are not unique, Tokazowski says, as the counter would increase by one at each refresh of the page. As such, the number of users that actually received the malware dropper is very likely to be lower; moreover, some of them may have realized the deceit and stopped from executing the file inside the archive.
I2P address found during malware analysis
However, in the unfortunate case that Dyre is installed on the system, it will inject into the topmost svchost.exe process. One interesting finding made by Tokazowski is the addition of an I2P address, which is a service that offers a network layer for anonymous communication.
All the traffic is encrypted end-to-end and there are four layers of encryption when sending messages. As such, it is believed that the I2P service is used for alternative communication means and to make detection and analysis more difficult.
Tokazowski says that even if the content of the traffic is unknown, communication over the I2P network can be prevented by discarding the traffic at the top-domain level. By doing this, the researchers can stop data interception from the victimized computer.
Banking Trojan uses multiple distribution methods
Dyre popped up on the scanners in the security industry in mid-June, and it has been observed that it relies on multiple distribution channels.
The most popular remains Upatre, which generally reaches the victim through phishing attacks, one of the latest being through an email with the subject “Tyranny of the Police,” referencing the Ferguson incidents; but it can also reach the victim through drive-by download attacks.
Dyre’s purpose is purely financial, as it interposes between the client and the bank in order to intercept sensitive communication without the knowledge of either party. Since it emerged, the malware has been updated with an extended list of targets, which also included bitcoin trading websites.
