We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:
- We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
- We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.
This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’ These people typically fall on this scam because of its ‘get rich easy’ nature.
All About DYRE
This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:
- It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
- It steals bank credentials and monitors sessions involving online transactions to specific banks.
- It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
- It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).
Figure 1. Screencap of STUN method
- It also has the capability download a VNC module.
A look into its network profile confirms details of the routines mentioned above:
- Connections to C&C servers at Port 443, with a defined string format
- Connections to STUN Servers
- Accepting inbound connections
- Although not presented in the screen capture below, the user agent being used is Opera/9.80
Figure 2. Network profile for TSPY_BANKER.DYR