Incident Response, Malware, TDR, Vulnerability Management

Tricky new malware strain, Dyre, skirts detection and steals banking credentials

While investigating a successful phishing campaign in which attackers had been using Dropbox to deliver ransomware, researchers with PhishMe uncovered a similar scheme that appears to be using a previously undocumented malware strain.

The malware, referred to as Dyre, is primarily for stealing banking credentials, Ronnie Tokazowski, a senior researcher with PhishMe, told in a Tuesday email correspondence, explaining it goes after specific banks, including Bank of America and Citigroup.

Dyre also monitors network traffic and bypasses SSL mechanisms in browsers, as well as surreptitiously modifies network traffic and redirects users back to legitimate sites, Tokazowski said, explaining it uses a technique known as “browser hooking” in order to steal submitted login data just prior to the information being encrypted.

“In testing, when the data was processed, the user's browser pointed to HTTPS, remained encrypted even after submitting the information, and gave zero signs to the user that their computer was infected – scary stuff,” Tokazowski said, adding the malware is a small code change away from being able to steal Facebook, Gmail and any other accounts passing through HTTPS.

Dyre was initially identified in a new phishing scheme that Tokazowski said is probably from the same attackers responsible for the Dropbox phishing campaign, which, as of last week, may have resulted in 350,000 ransomware infections and more than $70,000 in Bitcoin earned.

This time, emails claiming to contain invoices or federal tax information are linking recipients to Cubby, a service similar to Dropbox, according to a Friday post. When the ZIP file is downloaded and opened, users that run the screensaver file become infected with Dyre.

“In working with Dropbox, [the company has] been very quick to remove the [malicious] links,” Tokazowski said. “With the switch to Cubby, a service by LogMeIn, the attackers [have found] another legitimate service for hosting their malware.”

Despite its similarity to other malware, Tokazowski said he performed extensive open source research – based on strings, domains, infrastructure, code, and more – and could not find anything to prove the Dyre malware had been previously documented.

“I also reached out to crimeware experts in the field, asking to verify if this was new,” Tokazowski said. “The overall conclusion is that this was in fact a new sample targeting enterprises. The industry hasn't seen this until now.”

Researchers with CSIS also analyzed the malware, referring to it as Dyreza.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.