Dyre Zeus variant malware used for corporate espionage

Security experts warn Dyre malware is being used by cyber criminals for corporate espionage instead harvest banking credentials.

Dyre is the name of a new variant of the immortal Zeus banking trojan worries cyber security experts, this new strain doesn’t limit its stealing activity to user’s banking credentials, but search for customer information.

Dyre has been detected for the first time in June, several security firms detected the new Zeus variant in targeted attacks on major online banking services, including Bank of America, Natwest, Citiban, RBS, Ulsterbank. Dyre works exactly like many popular banking trojan, including Zeus, it implements hooking functionalities for the principal browsers, including Internet Explorer, Chrome and Firefox, and is able to syphon data from the infected system.

I wrote a blog post on Dyre, also known as Dyreza, which was discovered by security experts at CSIS in Denmark, as explained in my previous article it uses browser hooking to defeat SSL and bypass the two-factor authentication mechanism used by the banks to protect customers’ accounts.

“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA.” states Peter Kruse in a blog post published by CSIS.

A newer version of Dyre, however, has begun targeting the popular cloud service Salesforce, the threat actors seem to be interested in the customer information the cloud contains. Unfortunately, as explained by Ami Luttwak, chief technology officer and founder of Adallom, other cloud services could be targeted by Dyre

“We currently believe this threat is not specific or limited to Salesforce which is both good and bad news,” “Dyre is a tool that can be used to steal credentials and information from any website.” Ami Luttwak, chief technology officer and founder of Adallom, stated in a blog post. 

Adallom is a SaaS Security firm vendor that discovered a malware-based attack against Salesforce.com users in February, the Zeus variant used by the bad actors implements the web crawling capabilities to grab sensitive business data from the CRM. The attacks originated from Salesforce employee’s home computer, this variant of Zeus trojan crawled the site and created a real-time copy of the user’s Salesforce.com instance that included all the company account data.

It is clear that something is changing in the motivation of the malicious campaign, while malware tends to specialize on syphoning banking credentials and financial data, in the case of Dyre the attackers are interested in to harvest the greatest volume of data from victims, an indicator that suggest the possibility that threat actors are interesting to corporate espionage or to sell the data in the underground.

Two factors above all are conditioning the modus operandi of attackers behind Dyre:

• Financial institutions are hardening their systems and for criminals the cash out process is becoming difficult to arrange. Services like Salesforce are a relative “easy” target to compromise for hackers.
• Corporate customer information is anyway considered a profitable commodity in the underground, customer data could be used for targeted cyber espionage campaign against companies, or simply to re sell on the black market to other criminal gangs specialized in corporate espionage.

“Since the package contains a list of URLs being targeted, it looks like the creators of this variant simply added Salesforce.com URLs to the target list because it was easy—but unlike banking credentials, we’re not currently aware of any cybercrime stores selling Salesforce.com credentials, which is a telling indicator,” he said.

Let’s be prepared to assist the discovery of an increasing number of malware whose purpose is adapted to corporate espionage.

Pierluigi Paganini

(Security Affairs –  Dyre malware, Zeus)