New DYRE banking malware in the wild

The experts at TrendMicro detected a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques.

Researchers at Trend Micro have identified a new strain of the Dyre (Dyreza) financial malware  (Dyreza), which is targeting a larger number of banks. The new variant of Dyre implements some sophisticated propagation and evasion techniques. According to Trend Micro this DYRE infection was more prominent in the US for the entire month of January (68%), followed by Canada (10%) and Chile (4%).

“Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, Gameover. DYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for  2015.” reports a blog post from TrendMicro.

In the past months, bad actors exploited the Cutwail spambot to spread the Dyre malware, the new campaign relies on spam email to serve the malicious agent.

The malicious email contains the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm.

The propagation technique implemented by the cyber criminals is very effective, the worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them.

“In this new infection chain, we observed that once DYRE is installed, it downloads a worm (orWORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached. The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).” continues the post

The worm used by this variant of Dyre doesn’t send spam emails to the victim’s contacts, instead it uses email addresses passed by the C&C server. Once the emails are sent by the worm it deletes itself.

The experts at TrendMicro revealed that Dyre was first developed to steal data from 206 websites, but the new version includes 355 targets belonging to banks and Bitcoin wallets.

This variant of Dyre uses hard-coded addresses for its IP addresses, the malware authors also implemented backup mechanisms for command and control infrastructure that rely on URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network.

Stay tuned for further information …

Pierluigi Paganini

(Security Affairs –  Dyre, malware)