Dyreza banking Trojan uses browser hooking to defeat SSL

Security experts at CSIS in Denmark have discovered a new piece of banking malware, dubbed Dyreza, which implements browser hooking to defeat SSL.

Dyreza is the name of a new banking Trojan which is targeting numerous financial institutions, including Bank of America, Citibank, Natwest, RBS and Ulsterbank. Dyreza captured the attention of security researchers due the technique it implements, known as browser hooking, to intercept traffic in transit between the targeted bank server and victim’s PC.

Dyreza has been discovered by security experts at CSIS in Denmark, which published a detailed analysis on their website. As usual the attack vector is represented by malicious emails that look like legitimate messages sent by the banks.

Recent investigations show that the group behind these attacks is likely to distribute a new campaign as a “Flash Player update”.

When the victim opens the malicious attachment (e.g. A zip file) Dyreza installs itself on the machine and then contacts a command-and-control server. Like many other banking trojan also Dyreza try to steal user’s credential for online banking services, the browser hooking technique was implemented by the author of the malware to defeat SSL.

Researchers at CSIS have located two Command & Control servers, they one of them includes a money mule panel for several accounts in Latvia.

“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,”  states the official blog post.

The attack scenario is very effective, when users visit the targeted back website and attempt to log in, the data is intercepted by the Dyreza and sent to the attackers. Victims would not be able to detect the attack, there is no evidence that their data is being siphoned off or that Dyreza is hijacking their to a domain controlled by the cyber criminals and it’s no longer encrypted.

With the browser hooking technique the attacker deceives victim into believing that it is still on the legitimate website and it is communicating over a protected connection, in reality the traffic is redirected to the attacker’s website.

As explained by experts at CSIS, Dyreza is able to hook Google Chrome, Mozilla Firefox and Internet Explorer. It is still unclear if the criminal gang behind Dyreza provided the malware with a sale model known as “Crime as a Service” or if the malware is sold as an independent product.

Dyreza is just the last banking Trojan discovered recently, cybercriminal ecosystem is very prolific and after the takeover of the Zeus Gameover botnet new bad actors are trying to propose new and innovative products.

Pierluigi Paganini

(Security Affairs –  Dyreza , banking Trojan)