This version of Dyre is spreading via phishing attacks and compromised endpoints have been observed in the U.S., UK, France and Germany.
This version of Dyre is spreading via phishing attacks and compromised endpoints have been observed in the U.S., UK, France and Germany.

Researchers with Proofpoint analyzed a recent sample of the Dyre banking trojan – also known as Dyreza – and noticed some new features, including communications with command-and-control (C&C) servers that take place via SSL on port 443 and port 4443, according to a Thursday post.

By using standard SSL over standard ports, exfiltration traffic looks like any other browser traffic and is tougher to distinguish from legitimate traffic, such as bank logins, Kevin Epstein, VP of information security and governance with Proofpoint, told SCMagazine.com in a Friday email correspondence.

“The malware is not attempting to fake SSL or go around the built-in browser and PC security controls for secured browser communication,” Epstein said. “It is using a real encryption key and actually encrypting data – the problem is that the encryption key is one the attackers created themselves, rather than one validated by a trusted organization; it's a ‘self-signed certificate' [issued to Internet Widgits Pty Ltd.]”

Older malware would communicate with servers directly via HTTP or other protocols over various ports, thus making it easier to detect, Epstein said, explaining that security teams could look for traffic on unexpected ports and examine it for inappropriate command structures.

“Malware writers then started setting up secure (encrypted) tunnels, but setting up such proxies raised the profile of the malware itself on endpoints, and again, teams could look for unexpected encrypted traffic on random ports and block it, even without being able to see the contents,” Epstein said.

This Dyre variant uses a feature called ‘browsersnapshot' to collect cookies, client-side certificates, and private keys stored in browsers, Epstein said. Even if the malware does not intercept an active session, it may have enough information to allow an attacker to impersonate the browser identity and authenticate as the user, he explained.

This version of Dyre also contains a feature that peers into the infected computer's registry, which is a list of important variables for installed software, and copies part of the list, Epstein said, explaining the information is used for what is known as ‘reconnaissance missions.'

“Attackers can build a profile of compromised target corporations and determine what software is most widely installed – and thus which exploits would be most widely effective and least detected in future larger-scale attacks,” Epstein said.

Dyre collects data about software being run by endpoint computers, and also collects login information such as credentials from Salesforce and a large number of global banks, Epstein said. According to the post, the target configuration file is received from the C&C and can be changed. The complete XML configuration file from the Dyre sample analyzed by Proofpoint can be seen here.

This variant of Dyre is being spread through phishing attacks, Epstein said, adding that compromised endpoints have been observed in the U.S., U.K., France and Germany.