Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dyre Malware Takes Inventory of Software on Infected Systems

Dyre Malware

Researchers have uncovered a new variant of the Dyre (Dyreza) banking Trojan and have discovered that malware developers have added several new features to the threat.

Dyre Malware

Researchers have uncovered a new variant of the Dyre (Dyreza) banking Trojan and have discovered that malware developers have added several new features to the threat.

Capabilities of the Dyre malware were first detailed in June by PhishMe, which described the threat as being a highly efficient piece of malware because it’s capable of bypassing a Browser’s SSL mechanism that protects users’ information. Information submitted to SSL-protected websites is encrypted before being sent to the server to protect it against man-in-the-middle attacks. However, by hooking the Web browser process, the malware can see the data entered by the victim before it is encrypted.

According to Proofpoint, the latest variants of the threat are designed to communicate with their command and control (C&C) server via SSL on ports 443 and 4443. In order to do this, Dyre uses its own SSL certificate, which has been issued to an organization called Internet Widgits Pty Ltd.

Another new feature has been dubbed “browsersnapshot” which enables the cybercriminals to collect cookies, client-side certificates and private keys from the infected computer’s Windows Certificate Store.

This isn’t the only type of information harvested by the latest versions of the Trojan. Experts have found that Dyre has also started collecting a list of installed programs and services. The information is extracted from the registry and sent back to the C&C server.

Software enumeration is usually part of reconnaissance missions in which the attackers try to harvest information on their future targets and determine which vectors they can exploit depending on what is or isn’t running on a remote system.

Proofpoint researchers point out that Dyre downloads the configuration file containing the list of targeted organizations from the C&C server. This indicates that the list of targets can change at any time.

“This sample of Dyreza highlights the rapid adaptation of new malware to updated defenses and the effort by crimeware groups to pursue new targets. Expect to see Dyreza and other threats continue to evolve – and to evolve more rapidly – as time goes by,” Proofpoint researchers explained in a blog post.

Advertisement. Scroll to continue reading.

In August, Proofpoint reported seeing a JPMorgan Chase phishing campaign in which the attackers were trying to distribute Dyre both through the RIG exploit kit and by serving it directly disguised as a Java update.

Earlier this month, Salesforce warned customers of a cybercriminal campaign designed to install Dyre on their computers. Now, after analyzing the malware configuration file downloaded by the latest variants of the Trojan, Proofpoint says Salesforce.com is still on the list of targets.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.