UPDATED: Everything About The Powerful Dyreza Malware Attacks

Our security researchers have identified at the beginning of June a new piece of financial malware, capable of bypassing the SSL (Secure Sockets Layer) security protocol. The malware targets major online banking websites, like: Bank of America, Natwest, Citibank, RBS, Ulsterbank. The malware behavior is similar to the Zeus family and is able to hide in popular web browsers like Internet Explorer, Chrome and Firefox, from where it can retrieve sensitive data every time an user connects to the specified domains. Nevertheless, the security researchers mentioned Dyreza is a new banking trojan, not connected to the Zeus family, and hackers put a great deal of effort into making it as hard as possible to resist reverse engineering techniques and avoid antivirus detection. At the beginning of June, we tracked down and located multiple servers from Riga, Latvia. UPDATE 11.02.2015: The latest data in the IT industry reveals that Dyreza now also targets bitcoin login webpages: Among the targeted bitcoin pages are: bitbargain.co.uk bitpay.com localbitcoins.com www.bitstamp.net

Latest Developments

According to our latest analysis on Dyreza, it has been noticed that in the last weeks that this malicious software has been targeting several banks in Switzerland and most of its C&Cs (Command and Control) servers are now located in France. UPDATE 11.02.2015: Our security analysts have tracked down Dyreza and informed us this powerful malicious threat is targeting the United Kingdom at this moment, affecting users who use online banking services on Windows operating systems. In the recent campaigns from October, the spam e-mails contained various malicious attachments, such as a PPT document, a ZIP archive or a PDF file that launched the malware. The subjects of the e-mails come as: “Unpaid invoic“, “New bank details“, “Invoice #[7 random numbers]“. The targeted victim is instructed to download, complete and print the attached file. UPDATE 11.02.2015: In the last weeks, we noticed Dyreza being spread by spam campaigns and using the following subject lines: your Documen your document Important Documen Payment from Chase ban Payment from you modtage Company repor Wire transfer complete You having received a new fax FW: Bank repor You having received a Payment from Orange LL BBB SBQ Form 34919 (Ref318-218-0-4) And the following e-mail attachments names: FAX_4489328327.zip -> FAX44-81274869.scr SBQForm-74037.zip -> doc-PDF.exe bofa_message.zip -> bofa_message.scr 12984-Payment_report.zip -> 12984-Payment_report.scr document9128.pdf.zip -> document9128 .pdf.scr document7512_8373.pdf.zip -> document7512_8373.pdf.exe document1924_pdf.zip -> document1924_pdf.scr 2014bankreport.zip -> 2014bankreport.scr Traffic, which can be directly linked with Dyreza, uses the following pattern: GET / 0502uk11 / [removed by CSIS] HTTP / 1.1 User-Agent: Mazilla / 5.0 Host: [see IP list below] Cache-Control: no-cache As soon as the file is executed, the malicious file tries to exploit a Windows vulnerability: CVE-2014-4114, also known as “Windows OLE Remote Code Execution Vulnerability” or vulnerabilities found in unpatched versions of Adobe Reader. The vulnerability could possibly allow remote code execution if the victim opens the specially designed file. An attacker who successfully exploits this vulnerability gains full user rights as the current user. When this happens, it becomes possible for the attacker to make major changes to the affected Windows system. When it has infected a machine, Dyreza appears as a Google Update service which starts every time the machine starts. UPDATE August 21 2015: One of the groups behind the information thief and Crime-as-a-Service botnet Dyreza has recently sent a swarm of spam emails to random email addresses, many of which are oriented towards targets in the UK. The unwanted e-mail arrives with the following contents: From: [spoofed / fake return address] Subject Line: Email from Transport for London Contents: Dear Customer Please open the attached file (7887775.zip) to view correspondence from Transport London. If the attachment is in PDF format, you will need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader, this is available at no cost on the Adobe website www.adobe.com. Thank you for contacting Transport for London. Business Operations Customer Service Representative Attached: [7 random numbers] .zip If the supplied zip file is opened by an unsuspecting recipient, the content will be activated immediately and will try to connect to a series of servers from which it will download Dyreza (sanitized by Heimdal Security): http: //3.185 [.] 4.90: 12326 / 2008uk77 / jI7tL6q34q / 0/61-SP1 / 0 / FDMBEFJBMKBEMM http: //93.185 [.] 4.90: 12326 / 2008uk77 / jI7tL6q34q / 41/5/42 / FDMBEFJBMKBEMM -> 0034095.scr Dyreza will be dropped onto the system, subsequently enrolling the machine into a central botnet via a strip of P2P super nodes. A section of these includes (sanitized by Heimdal Security): 103 [.], 230 [.], 220 [.] 8: 443 103 [.] 28 [.], 157 [.] 202: 443 103 [.] 28 [.], 157 [.] 210: 443 103 [.] 39 [.], 236 [.] 6: 443 109 [.] 86 [.], 226 [.] 85: 443 109 [.] 87 [.] 63 [.] 98: 443 114 [.] 30 [.] 73 [.] 130: 443 115 [.], 119 [.], 250 [.] 245: 443 150 [.] 129 [.] 48 [.] 107: 443 150 [.], 129 [.] 48 [.] 162: 443 150 [.], 129 [.] 49 [.] 139: 443 150 [.], 129 [.] 49 [.] 162: 443 173 [.] 185 [.] 166 [.] 94: 4443 173 [.], 248 [.] 18 [.] 187: 4443 176 [.], 120 [.], 201 [.] 9: 443 181 [.], 112 [.], 153 [.] 202: 443 181 [.], 112 [.], 220 [.] 158: 443 181 [.], 174 [.] 91 [.] 90: 443 181 [.], 189 [.], 152 [.] 131: 443 184 [.], 190 [.] 64 [.] 35: 4443 186 [.] 46 [.] 142 [.] 66: 443 186 [.] 47 [.], 212 [.] 202: 443 188 [.], 120 [.], 194 [.] 101: 4443 194 [.] 28 [.], 190 [.] 84: 443 195 [.], 191 [.] 34 [.] 245: 443 195 [.] 34 [.], 206 [.] 204: 443 206 [.], 123 [.] 58 [.] 42: 4443 206 [.], 123 [.] 60 [.] 93: 4443 206 [.], 123 [.] 63 [.] 88: 4443 208 [.], 123 [.], 135 [.] 106: 4443 212 [.] 109 [.] 179 [.] 197: 443 212 [.] 37 [.] 81 [.] 96: 4443 216 [.] 57 [.], 165 [.] 182: 443 31 [.] 42 [.], 172 [.] 36: 443 45 [.] 46 [.] 51 [.] 25: 443 66 [.] 38 [.] 33 [.] 225: 4443 67 [.], 206 [.] 96 [.] 193: 4443 69 [.] 27 [.], 128 [.] 203: 443 69 [.] 27 [.] 57 [.] 164: 4443 69 [.] 89 [.], 193 [.] 35: 443 69 [.] 9 [.], 203 [.] 23: 443 69 [.] 9 [.], 204 [.] 26: 443 73 [.], 143 [.], 243 [.] 134: 4443 73 [.] 38 [.], 228 [.] 117: 4443 84 [.] 54 [.], 191 [.] 170: 443 85 [.], 192 [.], 165 [.] 229: 443 91 [.], 187 [.] 75 [.] 75: 4443 92 [.] 62 [.], 254 [.] 225: 443 93 [.] 119 [.] 102 [.] 70: 443 93 [.] 91 [.], 154 [.] 243: 443 A second and similar Dyreza botnet campaign arrives carrying a different attached document, but works in the same way described above. The malicious document will download the Dyreza payload from the following domains (sanitized by Heimdal Security): 1st round: http: // ram-group [.] org / diet / 8179826378126.txt http: // Normont [.] com / french / wp-includes / js / jquery / UI / 8179826378126.txt 2nd round: http: // ram-group [.] org / diet / sasa.txt http: // Normont [.] com / french / wp-includes / js / jquery / UI / sasa.txt Dyreza 2008uk77 -> Http: //www.ideadesignstore [.] IT / wp-content / plugins / cached_data / pa.exe Antivirus detection is extremely low: 0/56 on VirusTotal.

How does it spread?

Dyreza is delivered through spam and phishing campaigns. 1. The e-mails contain various malicious attachments, such as a ZIP, PPT or PDF file, which as soon as it is opened, it will drop a malware on the target machine. The malware then connects to a hacker controlled server to send/receive information. We can find e-mail subjects, like “Your FED TAX payment ID [random number]” and “RE: Invoice #[random number]” in most sent e-mails. The zip-files have names, like “Documents.zip”, “Document-[random numbers].zip” or “eFax -[random numbers].zip”, which when unzipped and run will install on the system the downloader. 2. The e-mails contain a short link to a compromised server, where a malicious file is hosted. We can find e-mail subjects, like “Important docs“, “You have a new Secure Message” and “You’ve received a new fax” in most sent e-mails. If an user clicks the provided link in the e-mail, the malicious file is downloaded on the system. The downloader then brings on the system and executes Dyreza, the banking malware, which is downloaded from a list of domains specified in the downloader. UPDATE 11.02.2015: The latest list of domains discovered and blocked by our malware specialists are below (space added by us): patri ziapulcina.it wginf otech.net gawen a.blink.pl busin essmoney.in

How does it work?

We will try to present shortly the steps that take place in the infection phase, mentioning that we are dealing with a malware that could change its behavior at any moment.

1. As we mentioned above, when the attached file is accessed or the link in the e-mail is followed, a downloader is placed on the system.
2. The next step takes place when the downloader connects to a list of domains specified in the downloader.
3. One of the hacker controlled domains in the list responds sending back and installing Dyreza on the system.
4. Dyreza malware targets sensitive user credentials from online services, including banking services. To do this, the malware uses a MiTM (man-in-the-middle) attack that allows hackers to intercept unencrypted web traffic, while the victim thinks they are on a secure connection.
5. The captured login information is sent to hacker controlled servers. During the connection time, the victim thinks the credentials are sent to a legitimate bank, but the malware actually redirects the traffic to a compromised server.

How can I keep my system protected from Dyreza?

Our security researchers recommend the following measures to protect your computer from phishing campaigns that spread the Dyreza banking malware:

• Don’t click links in e-mails you receive from unknown e-mail addresses. Most online scams are spread through this method.
• Don’t download and access e-mail attachments from people you don’t know. Most dangerous financial and data stealing malware may infect your system.
• Increase your online protection level by adjusting your web browser security settings.
• Keep your Windows operating system and your vulnerable software up-to-date with the latest security patches.
• Use a security solution that updates automatically. At this moment, most antivirus vendors detect Dyreza, so make sure your antivirus detects it too.

UPDATE 11.02.2015: Our malware specialists gathered all the IP addresses that are at this moment connected to Dyreza infections. By analyzing some of the IP addresses, we found that most of them belong to Internet hosting providers and were used for malicious purposes by online criminals: 82.208.52 [.] 146 – Casablanca INT, Czech Republic 83.219.133 [.] 225 – TIS-DIALOG-MNT, Russia 85.112.57 [.] 205 – Joint Stock Company “High Tech Attack”, Russia 86.61.190 [.] 248 – Coma spol. s r.o., Czech Republic 88.82.167 [.] 69 – Optilink, Ltd, Russia 88.84.198 [.] 158 – Citymarket-NET, Russia To have an image on the malicious servers’ locations, you can use the map below:

How does Heimdal™ Threat Prevention keep me safe?

First of all, Heimdal Pro makes sure your Adobe Reader is updated with the latest patches, therefore you are not affected by the exploit attempt. Second, even if a malicious file is downloaded and executed on the system, Heimdal Pro manages to prevent the code from running by blocking the communication with the hacker-controlled servers Dyreza connects to.

Conclusion

Dyreza is the latest financial and data-stealing malware that we have discovered and our security researchers keep a close eye on its evolution, so that we may provide the best defense against this major threat. We have released at the beginning of August an article on the most dangerous pieces of financial malware that can empty your bank account and we can say that Dyreza can be added to the list due to its complex nature and its malicious goal. Dyreza is the type of malware that forces us to update The Top 10 Most Dangerous Malware article.

This post was originally published by Aurelian Neagu in November 2014.