UPDATED: Everything About The Powerful Dyreza Malware Attacks
A closer look at one of the most damaging types of financial malware out there
Our security researchers have identified at the beginning of June a new piece of financial malware, capable of bypassing the SSL (Secure Sockets Layer) security protocol. The malware targets major online banking websites, like: Bank of America, Natwest, Citibank, RBS, Ulsterbank.
The malware behavior is similar to the Zeus family and is able to hide in popular web browsers like Internet Explorer, Chrome and Firefox, from where it can retrieve sensitive data every time an user connects to the specified domains.
Nevertheless, the security researchers mentioned Dyreza is a new banking trojan, not connected to the Zeus family, and hackers put a great deal of effort into making it as hard as possible to resist reverse engineering techniques and avoid antivirus detection.
At the beginning of June, we tracked down and located multiple servers from Riga, Latvia.
UPDATE 11.02.2015: The latest data in the IT industry reveals that Dyreza now also targets bitcoin login webpages:
Among the targeted bitcoin pages are:
According to our latest analysis on Dyreza, it has been noticed that in the last weeks that this malicious software has been targeting several banks in Switzerland and most of its C&Cs (Command and Control) servers are now located in France.
UPDATE 11.02.2015: Our security analysts have tracked down Dyreza and informed us this powerful malicious threat is targeting the United Kingdom at this moment, affecting users who use online banking services on Windows operating systems.
In the recent campaigns from October, the spam e-mails contained various malicious attachments, such as a PPT document, a ZIP archive or a PDF file that launched the malware. The subjects of the e-mails come as: “Unpaid invoic“, “New bank details“, “Invoice #[7 random numbers]“. The targeted victim is instructed to download, complete and print the attached file.
UPDATE 11.02.2015: In the last weeks, we noticed Dyreza being spread by spam campaigns and using the following subject lines:
Payment from Chase ban
Payment from you modtage
Wire transfer complete
You having received a new fax
FW: Bank repor
You having received a Payment from Orange LL BBB SBQ Form 34919 (Ref318-218-0-4)
And the following e-mail attachments names:
FAX_4489328327.zip -> FAX44-81274869.scr SBQForm-74037.zip -> doc-PDF.exe bofa_message.zip -> bofa_message.scr 12984-Payment_report.zip -> 12984-Payment_report.scr document9128.pdf.zip -> document9128 .pdf.scr document7512_8373.pdf.zip -> document7512_8373.pdf.exe document1924_pdf.zip -> document1924_pdf.scr 2014bankreport.zip -> 2014bankreport.scr
Traffic, which can be directly linked with Dyreza, uses the following pattern:
GET / 0502uk11 / [removed by CSIS] HTTP / 1.1
User-Agent: Mazilla / 5.0
Host: [see IP list below]
As soon as the file is executed, the malicious file tries to exploit a Windows vulnerability: CVE-2014-4114, also known as “Windows OLE Remote Code Execution Vulnerability” or vulnerabilities found in unpatched versions of Adobe Reader.
The vulnerability could possibly allow remote code execution if the victim opens the specially designed file.
An attacker who successfully exploits this vulnerability gains full user rights as the current user. When this happens, it becomes possible for the attacker to make major changes to the affected Windows system.
When it has infected a machine, Dyreza appears as a Google Update service which starts every time the machine starts.
UPDATE August 21 2015: One of the groups behind the information thief and Crime-as-a-Service botnet Dyreza has recently sent a swarm of spam emails to random email addresses, many of which are oriented towards targets in the UK.
The unwanted e-mail arrives with the following contents:
From: [spoofed / fake return address] Subject Line: Email from Transport for London
Please open the attached file (7887775.zip) to view correspondence from Transport London.
If the attachment is in PDF format, you will need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader, this is available at no cost on the Adobe website www.adobe.com.
Thank you for contacting Transport for London.
Customer Service Representative
[7 random numbers] .zip
If the supplied zip file is opened by an unsuspecting recipient, the content will be activated immediately and will try to connect to a series of servers from which it will download Dyreza (sanitized by Heimdal Security):
http: //3.185 [.] 4.90: 12326 / 2008uk77 / jI7tL6q34q / 0/61-SP1 / 0 / FDMBEFJBMKBEMM
http: //93.185 [.] 4.90: 12326 / 2008uk77 / jI7tL6q34q / 41/5/42 / FDMBEFJBMKBEMM
Dyreza will be dropped onto the system, subsequently enrolling the machine into a central botnet via a strip of P2P super nodes. A section of these includes (sanitized by Heimdal Security):
103 [.], 230 [.], 220 [.] 8: 443
103 [.] 28 [.], 157 [.] 202: 443
103 [.] 28 [.], 157 [.] 210: 443
103 [.] 39 [.], 236 [.] 6: 443
109 [.] 86 [.], 226 [.] 85: 443
109 [.] 87 [.] 63 [.] 98: 443
114 [.] 30 [.] 73 [.] 130: 443
115 [.], 119 [.], 250 [.] 245: 443
150 [.] 129 [.] 48 [.] 107: 443
150 [.], 129 [.] 48 [.] 162: 443
150 [.], 129 [.] 49 [.] 139: 443
150 [.], 129 [.] 49 [.] 162: 443
173 [.] 185 [.] 166 [.] 94: 4443
173 [.], 248 [.] 18 [.] 187: 4443
176 [.], 120 [.], 201 [.] 9: 443
181 [.], 112 [.], 153 [.] 202: 443
181 [.], 112 [.], 220 [.] 158: 443
181 [.], 174 [.] 91 [.] 90: 443
181 [.], 189 [.], 152 [.] 131: 443
184 [.], 190 [.] 64 [.] 35: 4443
186 [.] 46 [.] 142 [.] 66: 443
186 [.] 47 [.], 212 [.] 202: 443
188 [.], 120 [.], 194 [.] 101: 4443
194 [.] 28 [.], 190 [.] 84: 443
195 [.], 191 [.] 34 [.] 245: 443
195 [.] 34 [.], 206 [.] 204: 443
206 [.], 123 [.] 58 [.] 42: 4443
206 [.], 123 [.] 60 [.] 93: 4443
206 [.], 123 [.] 63 [.] 88: 4443
208 [.], 123 [.], 135 [.] 106: 4443
212 [.] 109 [.] 179 [.] 197: 443
212 [.] 37 [.] 81 [.] 96: 4443
216 [.] 57 [.], 165 [.] 182: 443
31 [.] 42 [.], 172 [.] 36: 443
45 [.] 46 [.] 51 [.] 25: 443
66 [.] 38 [.] 33 [.] 225: 4443
67 [.], 206 [.] 96 [.] 193: 4443
69 [.] 27 [.], 128 [.] 203: 443
69 [.] 27 [.] 57 [.] 164: 4443
69 [.] 89 [.], 193 [.] 35: 443
69 [.] 9 [.], 203 [.] 23: 443
69 [.] 9 [.], 204 [.] 26: 443
73 [.], 143 [.], 243 [.] 134: 4443
73 [.] 38 [.], 228 [.] 117: 4443
84 [.] 54 [.], 191 [.] 170: 443
85 [.], 192 [.], 165 [.] 229: 443
91 [.], 187 [.] 75 [.] 75: 4443
92 [.] 62 [.], 254 [.] 225: 443
93 [.] 119 [.] 102 [.] 70: 443
93 [.] 91 [.], 154 [.] 243: 443
A second and similar Dyreza botnet campaign arrives carrying a different attached document, but works in the same way described above. The malicious document will download the Dyreza payload from the following domains (sanitized by Heimdal Security):
http: // ram-group [.] org / diet / 8179826378126.txt
http: // Normont [.] com / french / wp-includes / js / jquery / UI / 8179826378126.txt
http: // ram-group [.] org / diet / sasa.txt
http: // Normont [.] com / french / wp-includes / js / jquery / UI / sasa.txt
-> Http: //www.ideadesignstore [.] IT / wp-content / plugins / cached_data / pa.exe
Antivirus detection is extremely low: 0/56 on VirusTotal.
How does it spread?
Dyreza is delivered through spam and phishing campaigns.
1. The e-mails contain various malicious attachments, such as a ZIP, PPT or PDF file, which as soon as it is opened, it will drop a malware on the target machine. The malware then connects to a hacker controlled server to send/receive information.
We can find e-mail subjects, like “Your FED TAX payment ID [random number]” and “RE: Invoice #[random number]” in most sent e-mails. The zip-files have names, like “Documents.zip”, “Document-[random numbers].zip” or “eFax -[random numbers].zip”, which when unzipped and run will install on the system the downloader.
2. The e-mails contain a short link to a compromised server, where a malicious file is hosted.
We can find e-mail subjects, like “Important docs“, “You have a new Secure Message” and “You’ve received a new fax” in most sent e-mails. If an user clicks the provided link in the e-mail, the malicious file is downloaded on the system.
The downloader then brings on the system and executes Dyreza, the banking malware, which is downloaded from a list of domains specified in the downloader.
UPDATE 11.02.2015: The latest list of domains discovered and blocked by our malware specialists are below (space added by us):
How does it work?
We will try to present shortly the steps that take place in the infection phase, mentioning that we are dealing with a malware that could change its behavior at any moment.
- As we mentioned above, when the attached file is accessed or the link in the e-mail is followed, a downloader is placed on the system.
- The next step takes place when the downloader connects to a list of domains specified in the downloader.
- One of the hacker controlled domains in the list responds sending back and installing Dyreza on the system.
- Dyreza malware targets sensitive user credentials from online services, including banking services. To do this, the malware uses a MiTM (man-in-the-middle) attack that allows hackers to intercept unencrypted web traffic, while the victim thinks they are on a secure connection.
- The captured login information is sent to hacker controlled servers. During the connection time, the victim thinks the credentials are sent to a legitimate bank, but the malware actually redirects the traffic to a compromised server.
How can I keep my system protected from Dyreza?
Our security researchers recommend the following measures to protect your computer from phishing campaigns that spread the Dyreza banking malware:
- Don’t click links in e-mails you receive from unknown e-mail addresses. Most online scams are spread through this method.
- Don’t download and access e-mail attachments from people you don’t know. Most dangerous financial and data stealing malware may infect your system.
- Increase your online protection level by adjusting your web browser security settings.
- Keep your Windows operating system and your vulnerable software up-to-date with the latest security patches.
- Use a security solution that updates automatically. At this moment, most antivirus vendors detect Dyreza, so make sure your antivirus detects it too.
UPDATE 11.02.2015: Our malware specialists gathered all the IP addresses that are at this moment connected to Dyreza infections. By analyzing some of the IP addresses, we found that most of them belong to Internet hosting providers and were used for malicious purposes by online criminals:
82.208.52 [.] 146 – Casablanca INT, Czech Republic
83.219.133 [.] 225 – TIS-DIALOG-MNT, Russia
85.112.57 [.] 205 – Joint Stock Company “High Tech Attack”, Russia
86.61.190 [.] 248 – Coma spol. s r.o., Czech Republic
88.82.167 [.] 69 – Optilink, Ltd, Russia
88.84.198 [.] 158 – Citymarket-NET, Russia
To have an image on the malicious servers’ locations, you can use the map below:
How does Heimdal Pro keep me safe?
First of all, Heimdal Pro makes sure your Adobe Reader is updated with the latest patches, therefore you are not affected by the exploit attempt. Second, even if a malicious file is downloaded and executed on the system, Heimdal Pro manages to prevent the code from running by blocking the communication with the hacker controlled servers Dyreza connects to.
Dyreza is the latest financial and data stealing malware that we have discovered and our security researchers keep a close eye to its evolution, so that we may provide the best defense against this major threat.
We have released at the beginning of August an article on the most dangerous pieces of financial malware that can empty your bank account and we can say that Dyreza can be added to the list due to its complex nature and its malicious goal.
Dyreza is the type of malware that forces us to update The Top 10 Most Dangerous Malware article.
This post was originally published by Aurelian Neagu in November 2014.