Categories: Malware

New DYRE banking malware in the wild

The experts at TrendMicro detected a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques.

Researchers at Trend Micro have identified a new strain of the Dyre (Dyreza) financial malware (Dyreza), which is targeting a larger number of banks. The new variant of Dyre implements some sophisticated propagation and evasion techniques. According to Trend Micro this DYRE infection was more prominent in the US for the entire month of January (68%), followed by Canada (10%) and Chile (4%).

“Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, Gameover. DYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for 2015.” reports a blog post from TrendMicro.

In the past months, bad actors exploited the Cutwail spambot to spread the Dyre malware, the new campaign relies on spam email to serve the malicious agent.

The malicious email contains the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm.

The propagation technique implemented by the cyber criminals is very effective, the worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them.

“In this new infection chain, we observed that once DYRE is installed, it downloads a worm (orWORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached. The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).” continues the post

The worm used by this variant of Dyre doesn’t send spam emails to the victim’s contacts, instead it uses email addresses passed by the C&C server. Once the emails are sent by the worm it deletes itself.

The experts at TrendMicro revealed that Dyre was first developed to steal data from 206 websites, but the new version includes 355 targets belonging to banks and Bitcoin wallets.

This variant of Dyre uses hard-coded addresses for its IP addresses, the malware authors also implemented backup mechanisms for command and control infrastructure that rely on URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network.

Stay tuned for further information …

Pierluigi Paganini

(Security Affairs – Dyre, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.