U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Dyreza banking Trojan uses browser hooking to defeat SSL

Security experts at CSIS in Denmark have discovered a new piece of banking malware, dubbed Dyreza, which implements browser hooking to defeat SSL. Dyreza is the name of a new banking Trojan which is targeting numerous financial institutions, including Bank of America, Citibank, Natwest, RBS and Ulsterbank. Dyreza captured the attention of security researchers due the technique it […]

Dyreza banking Trojan uses browser hooking to defeat SSL

Security experts at CSIS in Denmark have discovered a new piece of banking malware, dubbed Dyreza, which implements browser hooking to defeat SSL.

Dyreza is the name of a new banking Trojan which is targeting numerous financial institutions, including Bank of America, Citibank, Natwest, RBS and Ulsterbank. Dyreza captured the attention of security researchers due the technique it implements, known as browser hooking, to intercept traffic in transit between the targeted bank server and victim’s PC.

Dyreza has been discovered by security experts at CSIS in Denmark, which published a detailed analysis on their website. As usual the attack vector is represented by malicious emails that look like legitimate messages sent by the banks.

Recent investigations show that the group behind these attacks is likely to distribute a new campaign as a “Flash Player update”.

When the victim opens the malicious attachment (e.g. A zip file) Dyreza installs itself on the machine and then contacts a command-and-control server. Like many other banking trojan also Dyreza try to steal user’s credential for online banking services, the browser hooking technique was implemented by the author of the malware to defeat SSL.

dyreza unpacked

Researchers at CSIS have located two Command & Control servers, they one of them includes a money mule panel for several accounts in Latvia.

“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,”  states the official blog post.

The attack scenario is very effective, when users visit the targeted back website and attempt to log in, the data is intercepted by the Dyreza and sent to the attackers. Victims would not be able to detect the attack, there is no evidence that their data is being siphoned off or that Dyreza is hijacking their to a domain controlled by the cyber criminals and it’s no longer encrypted.

With the browser hooking technique the attacker deceives victim into believing that it is still on the legitimate website and it is communicating over a protected connection, in reality the traffic is redirected to the attacker’s website.

As explained by experts at CSIS, Dyreza is able to hook Google Chrome, Mozilla Firefox and Internet Explorer. It is still unclear if the criminal gang behind Dyreza provided the malware with a sale model known as “Crime as a Service” or if the malware is sold as an independent product.

Dyreza is just the last banking Trojan discovered recently, cybercriminal ecosystem is very prolific and after the takeover of the Zeus Gameover botnet new bad actors are trying to propose new and innovative products.

Pierluigi Paganini

(Security Affairs –  Dyreza , banking Trojan)