Dyre Banking Trojan Uses Worm to Spread Via Microsoft Outlook

Researchers at Trend Micro have identified a new variant of the financial malware known as Dyre (Dyreza). The threat now targets a larger number of banks and uses some noteworthy propagation and evasion techniques.

In the past months, cybercriminals used the Cutwail spambot to distribute Dyre. However, the new variant spotted by Trend Micro uses a more interesting propagation technique.

The attack starts with a spam email containing the Upatre downloader disguised as a fax or the details of a package delivery. Once executed, Upatre downloads the new Dyre variant, which in turn downloads a wom detected by Trend Micro as WORM_MAILSPAM.XDP.

The worm uses the Microsoft Outlook email client installed on compromised devices to send out spam emails with the Upatre downloader attached to them. The malware leverages Outlook’s msmapi32.dll library to complete the task.

“The attached UPATRE malware then downloads DYRE and the cycle repeats. This technique makes DYRE automatically generate spammed emails even faster with the help of its infected users,” Trend Micro Threat Response Engineer Michael Marcos explained in a blog post.

It’s worth noting that the worm doesn’t send spam emails to the victim’s contacts. Instead it uses email addresses obtained from a command and control (C&C) server. Once the emails are sent, the worm deletes itself, the security firm said.

Initially, Dyre was designed to steal information from a total of 206 websites, but this new version targets 355 sites. Most of the recently added websites belong to banks and Bitcoin wallets.

In January, 68% of the Dyre infections spotted by Trend Micro were in the United States, followed by Canada (10%) and Chile (4%).

Researchers also noticed some interesting new evasion techniques, such as the use of SSL to protect C&C communications.

Dyre is designed to connect to C&C servers whose address is hard-coded in the binary. If that fails, the threat attempts to connect to a URL provided by the malware’s domain generation algorithm (DGA). The DGA, which generates URLs on various top-level domains (cc, ws, to, in, hk, cn, tk, and so), is similar to the one of Downad/Conficker.

The malware can also connect to a hard-coded address on the Invisible Internet Project (I2P), an anonymity network used by the online drug marketplace Silk Road Reloaded and the CryptoWall 3.0 ransomware.

Last week, Symantec reported that cybercriminals had been using the Cutwail botnet for short-duration, high-volume spam runs. Each of the attacks lasted only a few minutes, but millions of spam emails had been sent out each time.

The emails contained links that pointed to a malicious website set up to serve a variant of Dyre. In some cases, victims were redirected to a phishing page instead of the malware-serving site.