Researchers have uncovered a new variant of the Dyre (Dyreza) banking Trojan and have discovered that malware developers have added several new features to the threat.
Capabilities of the Dyre malware were first detailed in June by PhishMe, which described the threat as being a highly efficient piece of malware because it’s capable of bypassing a Browser’s SSL mechanism that protects users’ information. Information submitted to SSL-protected websites is encrypted before being sent to the server to protect it against man-in-the-middle attacks. However, by hooking the Web browser process, the malware can see the data entered by the victim before it is encrypted.
According to Proofpoint, the latest variants of the threat are designed to communicate with their command and control (C&C) server via SSL on ports 443 and 4443. In order to do this, Dyre uses its own SSL certificate, which has been issued to an organization called Internet Widgits Pty Ltd.
Another new feature has been dubbed “browsersnapshot” which enables the cybercriminals to collect cookies, client-side certificates and private keys from the infected computer’s Windows Certificate Store.
This isn’t the only type of information harvested by the latest versions of the Trojan. Experts have found that Dyre has also started collecting a list of installed programs and services. The information is extracted from the registry and sent back to the C&C server.
Software enumeration is usually part of reconnaissance missions in which the attackers try to harvest information on their future targets and determine which vectors they can exploit depending on what is or isn’t running on a remote system.
Proofpoint researchers point out that Dyre downloads the configuration file containing the list of targeted organizations from the C&C server. This indicates that the list of targets can change at any time.
“This sample of Dyreza highlights the rapid adaptation of new malware to updated defenses and the effort by crimeware groups to pursue new targets. Expect to see Dyreza and other threats continue to evolve – and to evolve more rapidly – as time goes by,” Proofpoint researchers explained in a blog post.
In August, Proofpoint reported seeing a JPMorgan Chase phishing campaign in which the attackers were trying to distribute Dyre both through the RIG exploit kit and by serving it directly disguised as a Java update.
Earlier this month, Salesforce warned customers of a cybercriminal campaign designed to install Dyre on their computers. Now, after analyzing the malware configuration file downloaded by the latest variants of the Trojan, Proofpoint says Salesforce.com is still on the list of targets.