• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   New DYRE Variant Hijacks Microsoft Outlook, Expands Targeted Banks

New DYRE Variant Hijacks Microsoft Outlook, Expands Targeted Banks

  • Posted on:January 30, 2015 at 8:34 am
  • Posted in:Malware
  • Author:
    Michael Marcos (Threat Response Engineer)
6

The DYRE/Dyreza banking malware is back with a new infection technique: we observed that it now hijacks Microsoft Outlook to spread the notorious UPATRE malware to target an expanded list of targeted banks.

Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, Gameover.

DYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for  2015.

New DYRE Infection Chain

DYRE typically arrives in users’ systems via an UPATRE downloader detected as TROJ_UPATRE.SMBG that arrives as an attachment spam emails.

Figure 1. Sample spammed emails with UPATRE downloader attached

In this new infection chain, we observed that once DYRE is installed, it downloads a worm (or WORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached.

The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).

The information below is extracted/downloaded from the hard-coded C&C address:

  • type
  • send_to_all
  • additional_emails
  • client_connection_id
  • message_attach
  • attach_type
  • attach_name
  • attach_data_base64
  • email
  • subject
  • content
  • id_string

These parameters are used by the malware to send emails to the intended recipients. At no time is the user’s contact list accessed for recipients.

The attached UPATRE malware then downloads DYRE and the cycle repeats. This technique makes DYRE automatically generate spammed emails even faster with the help of its infected users. Below is a quick look into the new infection chain.

The worm WORM_MAILSPAM.XDP connects to hard-coded command-and-control (C&C) server address in the binary file. It will then extract the necessary parameters from the C&C server in order to compose the spam/phishing email. WORM_MAILSPAM.XDP will then take over Microsoft Outlook of the affected to send out the emails. The worm deletes itself after executing this propagation routine.

DYRE’s New Evasion Techniques

  1. It now uses SSL protocol to hide data being transmitted. SSL is normally used to secure password when logging in to website. Now, DYRE utilizes its “security” to make the analysis of its communications more challenging. Compared to the DYRE variant seen last October 2014, this recent variant uses the SSL protocol in all its communications with the C&C server.

Figure 2. Network traffic between C&C server and the affected system.

If DYRE is unable to connect to the C&C servers that are hard-coded in the binary, it will try to communicate with threat actors using two new methods: using URLs in provided by the domain generation algorithm (DGA) function or connecting to a hard-coded Invisible Internet Project (I2P) address.

  1. Using an I2P address. Similar to Cryptowall 3.0 and Silk Road Reloaded, this malware utilizes the I2P network to mask the location of the C&C server. I2Pcannot be accessed by going to the regular web browser. Rather, you need to install the I2P service to be able to access an I2P address.

Figure 3. The infected system will try to connect to the I2P address. The encrypted message will then be passed on to randomly-selected machines connected to the I2P network before reaching the final destination.

  1. Using Domain Generation Algorithm. The new DYRE variant generates a URL by producing 34-character string appended to one of the six top level domains (TLD): .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. This technique was previously seen in WORM_DOWNAD.A and was used to establish a connection to the threat actors despite the hard-coded addresses being taken down.

Figure 4. Memory dump of topmost level svchost.exe

Figure 5. Examples of domains generated DYRE accesses

DYRE’s Expanded Target list

This new DYRE variant expanded its list of targeted websites from 206 websites in its original release to 355. Most of the added sites were online bitcoin wallet and banking websites across various countries, but mainly centered in the United States.

The updated DYRE variant waits for users to access any of the targeted websites before carrying out its info-stealing routines. Some of the targeted banking websites include JP Morgan, Barclays, Bank of Melbourne, Citibank, among others.

Data from the Trend Micro™ Smart Protection Network™ shows that DYRE infections were most prominent in the United States for the entire month of January (68%), followed by Canada (10%) and Chile (4%).

Best practices and recommendations

Always take precaution and be wary of social engineering attacks that take place in email and attachments. Ensure that you know who the email senders are before even thinking of downloading email attachments as this is typically the first point of entry for this type of infection. DYRE and UPATRE malware are notorious for utilizing packaged files such as those ending in .ZIP, or .RAR.

Trend Micro protects users from this threat via detecting the spam samples, malicious URLs, and all the malware related to this attack.

Related hashes:

f50c87669b476feb35a5963d44527a214041cc2e – TROJ_UPATRE.SMBG

5250d75aaa81095512c5160a8e14f941e2022ece – TSPY_DYRE.YYP

9860d5162150ea2ff38c0793cc272295adf1e19a – WORM_MAILSPAM.XDP

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: banking malwareDYREDyrezaUPATRE

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.