New DYRE banking malware in the wild

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,356
New-DYRE-infection-chain-300x300.jpg


The experts at TrendMicro detected a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques.
Researchers at Trend Micro have identified a new strain of the Dyre (Dyreza) financial malware (Dyreza), which is targeting a larger number of banks. The new variant of Dyre implements some sophisticated propagation and evasion techniques. According to Trend Micro this DYRE infection was more prominent in the US for the entire month of January (68%), followed by Canada (10%) and Chile (4%).

“Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, Gameover. DYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for 2015.” reports a blog post from TrendMicro.

In the past months, bad actors exploited the Cutwail spambot to spread the Dyre malware, the new campaign relies on spam email to serve the malicious agent.

The malicious email contains the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm.



The propagation technique implemented by the cyber criminals is very effective, the worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them.

“In this new infection chain, we observed that once DYRE is installed, it downloads a worm (orWORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached. The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).” continues the post



The worm used by this variant of Dyre doesn’t send spam emails to the victim’s contacts, instead it uses email addresses passed by the C&C server. Once the emails are sent by the worm it deletes itself.

The experts at TrendMicro revealed that Dyre was first developed to steal data from 206 websites, but the new version includes 355 targets belonging to banks and Bitcoin wallets.

This variant of Dyre uses hard-coded addresses for its IP addresses, the malware authors also implemented backup mechanisms for command and control infrastructure that rely on URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network.

 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top