Incident Response, Malware, TDR

Adobe exploit used to spread Dyre credential stealer

Attackers using credential-stealing malware, called Dyre, are targeting login data entered at bitcoin wallet sites.

Researchers at two firms, Trend Micro and ThreatTrack Security, observed the malware attack campaign, which preys on users running vulnerable versions of Adobe Reader and Acrobat.

The exploit, which leveraged an old vulnerability, CVE-2013-2719, furthers the spread of Dyre ndash; malware known for malicious behavior, such as “man-in-the-middle (MitM) attacks via browser injections, monitoring online banking sessions of targeted banks, and stealing other information such as browser versions, snapshots, and personal certificates,” Trend Micro threat response engineer, Rika Joi Gregorio, said in a blog post last Thursday.

Criminals used spam emails believed to contain invoices. Instead, the malicious PDF attachments were booby trapped so that vulnerable users install Dyre via exploitation, Trend Micro said.

Some of the targeted Bitcoin pages in the campaign, include bitpay.com, bitbargain.co.uk, bitbargain.co.uk/login, localbitcoins.com and bitstamp.net/account/login, the firm found.

In a blog post last week, security firm ThreatTrack also warned that bitcoin sites Bitpay, BitBargain and LocalBitcoins were targeted by Dyre, but that other pages, like anxbtc.com, blockchain.info, coinjar.com, and expresscoin.com, were also impacted by the phishing campaign.

ThreatTrack said that it also detected “email ploys like purported messages from JPMorgan Chase and CNN,” delivered to users.

In email correspondence with SCMagazine.com, Jon Clay, senior manager of global threat communications at Trend Micro, said that the “use of exploits, and in particular, the use of Adobe [for exploitation], is a well-established practice by cybercriminals" aiming to spread malware.

“With the widespread use of Adobe on victim's systems it gives criminals a high infection rate using known vulnerabilities to exploit,” Clay added.

Cryptocurrencies, such as bitcoin, are also becoming a popular method of payment for cybercriminals to target, as it enables them to “stay out of reach of law enforcement who can track normal payment options [like] credit cards, bank transactions, etc, more effectively,” he continued.

Last month, customer relationship management software provider Salesforce announced that it had identified Dyre malware, also known as Dyreza, possibly being used to steal its users' credentials.

Last month, customer relationship management software provider Salesforce announced that it had identified Dyre malware, also known as Dyreza, possibly being used to steal its users' credentials. In late September, researchers at Proofpoint analyzed a variant of Dyre that communicates with command-and-control servers via SSL on port 443 and port 443, in order to make exfiltration traffic tougher to distinguish from legitimate traffic. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.