The Dyre banking Trojan made its first debut in June 2014, targeting large financial institutions across the globe. In September, PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) observed a number of enhancements to the banking Trojan that further increases the danger of the threat.
Banking Trojans Expand Beyond Financial Targets
The most recent attack utilizing the Dyre Trojan targeted the cloud computing company, Salesforce.com. Historically, banking Trojans were used to steal account credentials of banking customers but now sensitive business data is being stolen from companies in the healthcare industry, retail, software industry and others. Malicious software developers are seeking access to organizational systems and operating systems to steal data that would aid in identity theft for purposes of committing fraud. Attackers remain patient and persistent; evolving the tools, harvesting the data and attacking when it is unexpected.
Recent attacks are launched with email lures that abuse popular brands and contain links pretending to lead to content like secure messages, sensitive documents, and invoices available on the trusted source's website. Figure 1 is an example of a brand-abusing email lure that leads to a download of the Upatre loader, which can lead to an install of the Dyre Trojan on compromised computers.
Figure 1. Example email that leads to Upatre download. Source: Softpedia.
Upatre is used by pay-per-install (PPI) services to distribute whatever malware payload the service provider is paid to distribute. In the past, GameOver Zeus (GOZ), keyloggers like Kegotip, and other spyware have been distributed via Upatre. The PPI service used in the Dyre campaigns offers direct downloads disguised as other data software ("Secure Message" document or "Java Update," etc.). The lures either offer a download or send victims to a webpage with a RIG Exploit Kit, which exploits vulnerable versions of Adobe Flash and Microsoft Silverlight browser plugins to silently install Upatre (drive-by download). Both methods have been used to install copies of Upatre that pushed Dyre onto infected PCs.
Recent enhancements to Dyre increase the danger associated with this latest banking Trojan threat. Cybercriminals deploying the new variant have targeted a defined list of large financial institutions with well-crafted email lures.
Enhancements to the Trojan include:
Command and control (C2) communications between the Trojan and its master server are encrypted via Secure Sockets Layer (SSL) and certificates from a trusted Certificate Authority (CA) issued under false pretenses to Dyre botnet operators. This allows the Trojan to communicate with the criminal and transmit stolen data without being detected.
The Trojan now reports a list of running programs and programs configured to start with the system in addition to other host information collected by previous versions. This enhances the criminal operator’s ability to capture information that would be verified through device fingerprinting, enabling them to impersonate the victim’s computer.
A "browsersnapshot" feature collects cookies as well as client-side certificates and private keys used by both Internet Explorer and Firefox, which can be used to better impersonate the victim when using stolen credentials to take over accounts.
Detection and Mitigation
For the first hours after criminals unleash a new version of Upatre, antivirus engine detection rates are typically very low, in the range of 0 - 2, and all of those are generic "suspicious" determinations. Days later, this typically increases to 19 - 21. Detection of new versions of Dyre is much higher, typically 12 – 19 which plateaus in the range of 31-40 after a few days. This much higher detection for Dyre is why it needs Upatre (which is practically undetected) as a loader; it deactivates the security controls on the PC, paving the way for Dyre to go undetected.
To avoid becoming a victim of banking Trojans like Dyre, financial institutions and major brands should educate customers on evolving threats and advise customers to never click on links or open suspicious documents in emails. Follow our blog for updates on cyber security threats that put your customer’s information at risk.
Download this whitepaper to learn more about how to fight back against malicious email scams.