The DYRE/Dyreza banking malware is back with a new infection technique: we observed that it now hijacks Microsoft Outlook to spread the notorious UPATRE malware to target an expanded list of targeted banks.
Last October 2014 we observed a hike in UPATRE-DYRE malware infections brought by the CUTWAIL spambot, a pattern we observed was similar to the propagation technique used in the ZeuS variant, Gameover.
DYRE’s recent design and structure overhaul includes an improvement in its propagation and evasion techniques against security solutions, putting it on our watch list for notable malware for 2015.
New DYRE Infection Chain
DYRE typically arrives in users’ systems via an UPATRE downloader detected as TROJ_UPATRE.SMBG that arrives as an attachment spam emails.
Figure 1. Sample spammed emails with UPATRE downloader attached
In this new infection chain, we observed that once DYRE is installed, it downloads a worm (or WORM_MAILSPAM.XDP) that is capable of composing email messages in Microsoft Outlook with the UPATRE malware attached.
The malware uses the msmapi32.dll library (supplied by Microsoft Outlook) that to perform its mail-related routines perform its functions (e.g. Login, Send Mail, Attach Item).
The information below is extracted/downloaded from the hard-coded C&C address:
- type
- send_to_all
- additional_emails
- client_connection_id
- message_attach
- attach_type
- attach_name
- attach_data_base64
- subject
- content
- id_string
These parameters are used by the malware to send emails to the intended recipients. At no time is the user’s contact list accessed for recipients.
The attached UPATRE malware then downloads DYRE and the cycle repeats. This technique makes DYRE automatically generate spammed emails even faster with the help of its infected users. Below is a quick look into the new infection chain.
The worm WORM_MAILSPAM.XDP connects to hard-coded command-and-control (C&C) server address in the binary file. It will then extract the necessary parameters from the C&C server in order to compose the spam/phishing email. WORM_MAILSPAM.XDP will then take over Microsoft Outlook of the affected to send out the emails. The worm deletes itself after executing this propagation routine.
DYRE’s New Evasion Techniques
- It now uses SSL protocol to hide data being transmitted. SSL is normally used to secure password when logging in to website. Now, DYRE utilizes its “security” to make the analysis of its communications more challenging. Compared to the DYRE variant seen last October 2014, this recent variant uses the SSL protocol in all its communications with the C&C server.
Figure 2. Network traffic between C&C server and the affected system.
If DYRE is unable to connect to the C&C servers that are hard-coded in the binary, it will try to communicate with threat actors using two new methods: using URLs in provided by the domain generation algorithm (DGA) function or connecting to a hard-coded Invisible Internet Project (I2P) address.
- Using an I2P address. Similar to Cryptowall 3.0 and Silk Road Reloaded, this malware utilizes the I2P network to mask the location of the C&C server. I2Pcannot be accessed by going to the regular web browser. Rather, you need to install the I2P service to be able to access an I2P address.
Figure 3. The infected system will try to connect to the I2P address. The encrypted message will then be passed on to randomly-selected machines connected to the I2P network before reaching the final destination.
- Using Domain Generation Algorithm. The new DYRE variant generates a URL by producing 34-character string appended to one of the six top level domains (TLD): .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. This technique was previously seen in WORM_DOWNAD.A and was used to establish a connection to the threat actors despite the hard-coded addresses being taken down.
Figure 4. Memory dump of topmost level svchost.exe
Figure 5. Examples of domains generated DYRE accesses
DYRE’s Expanded Target list
This new DYRE variant expanded its list of targeted websites from 206 websites in its original release to 355. Most of the added sites were online bitcoin wallet and banking websites across various countries, but mainly centered in the United States.
The updated DYRE variant waits for users to access any of the targeted websites before carrying out its info-stealing routines. Some of the targeted banking websites include JP Morgan, Barclays, Bank of Melbourne, Citibank, among others.
Data from the Trend Micro™ Smart Protection Network™ shows that DYRE infections were most prominent in the United States for the entire month of January (68%), followed by Canada (10%) and Chile (4%).
Best practices and recommendations
Always take precaution and be wary of social engineering attacks that take place in email and attachments. Ensure that you know who the email senders are before even thinking of downloading email attachments as this is typically the first point of entry for this type of infection. DYRE and UPATRE malware are notorious for utilizing packaged files such as those ending in .ZIP, or .RAR.
Trend Micro protects users from this threat via detecting the spam samples, malicious URLs, and all the malware related to this attack.
Related hashes:
f50c87669b476feb35a5963d44527a214041cc2e – TROJ_UPATRE.SMBG
5250d75aaa81095512c5160a8e14f941e2022ece – TSPY_DYRE.YYP
9860d5162150ea2ff38c0793cc272295adf1e19a – WORM_MAILSPAM.XDP
