Vulnerability Management

Dyre infections surge, variants spread through Windows exploit

Dyre infections have surged and new variants of the banking trojan are being spread through exploitation of a Microsoft Windows bug, CVE-2015-0057, which has a patch, two security firms have found.

According to Bitdefender, thousands of users received an archive housing a malicious .exe file which purportedly came from a tax consultant requesting additional information to complete a financial transaction. In an email, users are urged to download the archive and provide the information.

Bitdefender noted that while Dyre employs various man-in-the-middle (MitM) methods to gain access to user accounts, in this most recent campaign, attackers injected malicious code into a legitimate web page to modify it.

Company researchers said in email sent to SCMagazine.com, “Hackers inject malicious Javascript code through a man-in-the-browser attack, allowing them to steal credentials and further manipulate accounts– all completely covertly.”

In a Thursday email correspondence with SCMagazine.com, Alexandra Gheorghe, e-threat analyst at Bitdefender said because “the campaign uses different messaging to distribute the malicious payload,” the odds of infection are increased. “The steady evolution of Dyre leads us to believe that this threat has developed into a highly lucrative business for its creators and it will continue to intensify its efforts in the near future,” said Gheorghe.

By bypassing encrypted communications with the C&C server, Bitdefender researchers were able to see that attackers had targeted customers of banks and financial institutions in the U.S., U.K., Australia, France, Germany and Romania, such as Citibank, JP Morgan Chase, PayPal, Bank of America and Wells Fargo.

“It was interesting, but not necessarily surprising to us, to see an even more impressive list of high-profile targets than in previous campaigns,” Gheorghe said.

The security firm said that over the course of three days, 19,000 malicious emails were sent from spam servers located in the U.S., U.K., Taiwan, Denmark, Hong Kong, China, Russia and South Korea as well as other countries.

FireEye researchers first observed new Dyre variants exploiting CVE-2015-0057, a use-after-free vulnerability in the win32k.sys component of the Windows kernel that Microsoft patched on June 17. Attackers can exploit the vulnerability, which was reported to Microsoft by Udi Yavo, “to perform local privilege escalation,” according to blog post by researchers Yu Wang and Sudeep Singh that details how the exploit is carried out.

If a system has been patched, the new Dyre variants are spread through exploitation of CVE-2013-3660, the post noted.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.