Security Alert: New Dyreza variant supports Windows 10 & Edge

Cyber criminals are very good at keeping up with the times. Here’s the proof.

Our team has recently picked up and analyzed a new variant of the infamous banking Trojan Dyreza.

The results of the analysis show that the info-stealer malware now includes support for Windows 10. This new variant can also hook to Microsoft Edge to collect data and then send it to malicious servers.

Moreover, the new Dyreza variant kills a series of processes linked to endpoint security software, in order to make its infiltration in the system faster and more effective.

The cyber criminals behind Dyreza often spread the malware via “spray & pray” spam campaigns, which are sent to random recipients.

 

How low-tech cyber criminals can launch Dyreza attacks

As it happens more and more often with financial malware, Dyreza is also a “Crime as a Service network” that anyone can buy into. To make it even more appealing – and, consequently, financially viable – the makers have also predefined a group of targets in the code configuration file. The targets are typically online banking websites.

All cyber criminals have to do is buy the malware and deploy it. This is how low-tech attackers can target more unsuspecting victims and harvest their financial information to get into their bank accounts, while malware creators reap the financial benefits of massively selling the malware kits. Increasingly frequently, kits such as this new Dyreza variant or Cryptolocker/Cryptowall 3.1 are sold to anyone who’s interested.

 

80.000 computers tied into botnets and counting

By adding support for Windows 10, Dyreza malware creators have cleared their way to growing the number of infected PCs in their botnet. This financial Trojan doesn’t only drain the infected computers of valuable data – it also binds them into botnets.

It’s estimated that 80.000 machines are already infected with Dyreza worldwide and the number is expected to increase.

Dyreza can hook its malicious code to the following browser processes: “chrome.exe”, “chromium.exe”, “firefox.exe”, “iexplore.exe”, “microsoft edge”.

The data-stealing Trojan can also support the following operating systems:

• Win 7
• Win 7 SP1
• Win XP
• Win 8
• Win 8.1
• Win Server 2003
• Win Vista SP2
• Win Vista
• Win Vista SP1
• Win 10 IP.

 

How the new strain fends traditional security software

Besides including support for Windows 10 and Microsoft Edge, this Dyreza strain has also developed a new module: “aa32” (x86) for 32 bit or “aa64” (x64) for 64-bit. This module is used by attackers to terminate a long list of processes associated with security software. The module injects itself in “spoolsv.exe” and continuously tries to implement “kill processes”.

Consequently, Dyreza manages to achieve a high distribution rate also because of its low antivirus detection. The malware is typically delivered via a downloader, which we know as the “Upatre“.

Dyreza enlists the infected machine into its central botnet by binding it with a campaign ID.

Here is an example:

[% date%] au77 (Australia), [% date%] US12 (USA), [% date%] uk22 (England) and so on.

The timing of this new strain is just right as well: the season for Thanksgiving, Black Friday and Christmas shopping is ready to start, so financial malware will be set to collect a huge amount of financial data. Users will be busy, prone to multitasking and likely to choose convenience over safety online.

We’ve dedicated a longer, more detailed post to the Dyreza malware, which you can read by following this link:

 

UPDATED: Everything About the Powerful Dyreza Malware Attacks

 

Conclusion

 

Cyber criminals are consolidating their business and enhancing their malware to adapt to the market. As security products aim for a higher detection and block rate, they develop their malicious code so it can evade detection by traditional antivirus products, which most users rely on exclusively for protection against all types of attacks.

But not all malware is created equal and, as threats diversify and become more sophisticated (and this happens on a daily basis), protection against them should also spread across multiple layers. And this is not only the case with corporate security, but with individual online safety as well.

Lagging cyber security education and the amount of software vulnerabilities that plague all platforms, but especially Windows-based PCs, are creating an environment that’s so rich in opportunities to exploit that cyber criminals can simply not resist.