Post by Deleted on Mar 3, 2015 10:38:41 GMT -5
This is what we've been battling at work:
Dyre (Dyreza) Remote Access Trojan
History:
Malcovery identified this malware on June 11, 2014, being distributed via typical spam templates which all contained links to a file hosted on Cubby.com, a free cloud storage provider (also known to be attributed to the cloud storage provider Dropbox). Dyre or Dyreza was identified as a RAT (Remote Access Trojan) engineered to steal banking information. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. The threat actors involved in the cybercrime ring later shifted to distribution via the Upatre downloader Trojan.
Architecture:
Dyre specifically targeted institutions which included Bank of America, Natwest, Citibank, RBS, and Ulsterbank. Unlike Zeus, the malware currently doesn't appear to have advanced capabilities such as data encryption, many-to-one relationships with command and control infrastructure, or randomization of file names. Executable files can be compressed with a packer that shrinks and encrypts the original code. The packed executable decompresses and/or decrypts itself in memory while it is running, so the file on disk is never similar to the memory image of the file. Packers are designed to prevent reverse engineering and supply some level of copy protection, although they can also be used to avoid security software.
Method of Infection:
Dyre is downloaded and installed on compromised systems by the Upatre downloader trojan, which is distributed through spam emails sent by the Cutwail botnet and at least two other spam botnets. The emails contain Upatre as an embedded malware executable in a ZIP attachment or as a malicious URL. In both instances, user interaction is required to compromise the targeted system. Dyre campaigns use different lures, such as impersonating FedEx invoices, electronic faxes, and payroll or financial documents. The email subject and body text can vary and the attachments range from zip files containing .exe, .scr. and .pdf extensions, but they are designed to essentially do the same thing.
How it Works:
Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a back-connect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ("web fakes") and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking Trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser. This is shown in the malicious code itself as a list of URLs for popular banking websites, including the following:
businessaccess .citibank .citigroup .com/assets/
cashproonline .bankofamerica .com/assets/
www .bankline .natwest .com/
www .bankline .rbs .com/
www .bankline .ulsterbank .ie/
Known directories include the following:
%AllUsersProfile%\random.exe
%AppData%\Roaming\Microsoft\Windows\Templates\random.exe
%Temp%\random.exe
%AllUsersProfile%\Application Data\random.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Command and Control:
Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P.
I2P:
The Invisible Internet Project (I2P) is an overlay network similar to Tor that offers anonymity. It provides anonymous hosting known as eepSites, which are similar to Tor's hidden services. eepSites allow users to access websites in a way that masks the true location of the server, so that it cannot be easily identified and taken down. On December 3, 2014, CTU researchers observed a Dyre sample that included the following I2P eepSite domain: nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p. Dyre's implementation of an I2P plugin has several tradeoffs. It makes the malware's backend server more difficult to trace, and the encapsulation of Dyre requests using I2P's encrypted protocol could complicate development of network-based signatures. However, I2P has not been widely adopted, so its presence may also be used to identify compromises.
Domain Generation Algorithm:
Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. CTU researchers sinkholed a Dyre DGA domain to identify sources of infection and to ascertain the number of compromised systems that resorted to the DGA for command and control. During a 24-hour interval, the sinkhole received requests from 8,815 unique IP addresses.
Very nasty infection and persistent.
Dyre (Dyreza) Remote Access Trojan
History:
Malcovery identified this malware on June 11, 2014, being distributed via typical spam templates which all contained links to a file hosted on Cubby.com, a free cloud storage provider (also known to be attributed to the cloud storage provider Dropbox). Dyre or Dyreza was identified as a RAT (Remote Access Trojan) engineered to steal banking information. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. The threat actors involved in the cybercrime ring later shifted to distribution via the Upatre downloader Trojan.
Architecture:
Dyre specifically targeted institutions which included Bank of America, Natwest, Citibank, RBS, and Ulsterbank. Unlike Zeus, the malware currently doesn't appear to have advanced capabilities such as data encryption, many-to-one relationships with command and control infrastructure, or randomization of file names. Executable files can be compressed with a packer that shrinks and encrypts the original code. The packed executable decompresses and/or decrypts itself in memory while it is running, so the file on disk is never similar to the memory image of the file. Packers are designed to prevent reverse engineering and supply some level of copy protection, although they can also be used to avoid security software.
Method of Infection:
Dyre is downloaded and installed on compromised systems by the Upatre downloader trojan, which is distributed through spam emails sent by the Cutwail botnet and at least two other spam botnets. The emails contain Upatre as an embedded malware executable in a ZIP attachment or as a malicious URL. In both instances, user interaction is required to compromise the targeted system. Dyre campaigns use different lures, such as impersonating FedEx invoices, electronic faxes, and payroll or financial documents. The email subject and body text can vary and the attachments range from zip files containing .exe, .scr. and .pdf extensions, but they are designed to essentially do the same thing.
How it Works:
Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a back-connect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ("web fakes") and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking Trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser. This is shown in the malicious code itself as a list of URLs for popular banking websites, including the following:
businessaccess .citibank .citigroup .com/assets/
cashproonline .bankofamerica .com/assets/
www .bankline .natwest .com/
www .bankline .rbs .com/
www .bankline .ulsterbank .ie/
Known directories include the following:
%AllUsersProfile%\random.exe
%AppData%\Roaming\Microsoft\Windows\Templates\random.exe
%Temp%\random.exe
%AllUsersProfile%\Application Data\random.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Command and Control:
Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P.
I2P:
The Invisible Internet Project (I2P) is an overlay network similar to Tor that offers anonymity. It provides anonymous hosting known as eepSites, which are similar to Tor's hidden services. eepSites allow users to access websites in a way that masks the true location of the server, so that it cannot be easily identified and taken down. On December 3, 2014, CTU researchers observed a Dyre sample that included the following I2P eepSite domain: nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p. Dyre's implementation of an I2P plugin has several tradeoffs. It makes the malware's backend server more difficult to trace, and the encapsulation of Dyre requests using I2P's encrypted protocol could complicate development of network-based signatures. However, I2P has not been widely adopted, so its presence may also be used to identify compromises.
Domain Generation Algorithm:
Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. CTU researchers sinkholed a Dyre DGA domain to identify sources of infection and to ascertain the number of compromised systems that resorted to the DGA for command and control. During a 24-hour interval, the sinkhole received requests from 8,815 unique IP addresses.
Very nasty infection and persistent.