430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Malware

New DYRE banking malware in the wild

The experts at TrendMicro detected a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques. Researchers at Trend Micro have identified a new strain of the Dyre (Dyreza) financial malware  (Dyreza), which is targeting a larger number of banks. The new variant of Dyre implements some sophisticated propagation and evasion techniques. According to Trend Micro this […]

New DYRE banking malware in the wild

The experts at TrendMicro detected a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques.

Researchers at Trend Micro have identified a new strain of the Dyre (Dyreza) financial malware  (Dyreza), which is targeting a larger number of banks. The new variant of Dyre implements some sophisticated propagation and evasion techniques. According to Trend Micro this DYRE infection was more prominent in the US for the entire month of January (68%), followed by Canada (10%) and Chile (4%).

“Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, GameoverDYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for  2015.” reports a blog post from TrendMicro.

In the past months, bad actors exploited the Cutwail spambot to spread the Dyre malware, the new campaign relies on spam email to serve the malicious agent.

The malicious email contains the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm.

dyre malware email

The propagation technique implemented by the cyber criminals is very effective, the worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them.

“In this new infection chain, we observed that once DYRE is installed, it downloads a worm (orWORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached. The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).” continues the post

New DYRE infection-chain

The worm used by this variant of Dyre doesn’t send spam emails to the victim’s contacts, instead it uses email addresses passed by the C&C server. Once the emails are sent by the worm it deletes itself.

The experts at TrendMicro revealed that Dyre was first developed to steal data from 206 websites, but the new version includes 355 targets belonging to banks and Bitcoin wallets.

This variant of Dyre uses hard-coded addresses for its IP addresses, the malware authors also implemented backup mechanisms for command and control infrastructure that rely on URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network.

New DYRE i2p

Stay tuned for further information …

Pierluigi Paganini

(Security Affairs –  Dyre, malware)