Connect with us

Hi, what are you looking for?


Malware & Threats

New RAT Bypasses SSL Protection, Targets Bank Credentials

Researchers at PhishMe have spotted a new strain of malware being used in an attack campaign that swipes bank credentials and circumvents SSL.

Researchers at PhishMe have spotted a new strain of malware being used in an attack campaign that swipes bank credentials and circumvents SSL.

The malware is known as Dyre. According to Phishme, the attackers using the malware are the same ones linked to an attack campaign seen using Dropbox links earlier this month.

“The attackers have shifted tactics, and are now using the service Cubby (Dropbox competitor by LogMeIn) as a new place for hosting their malware,” PhishMe’s Ronnie Tokazowski told SecurityWeek in an email.

The attacks come via email, with the examples seen by PhishMe coming in the form of messages with subjects like ‘Re: Invoice #1006501’ and ‘Your FED TAX payment (ID:418IRS971175699) was Rejected’. The malware downloads as a screen saver file inside of a zip file. Once the user opens the zip file and runs the .scr file, the malware beacons out to several hardcoded IP addresses, according to Tokazowski.

“Once the IP addresses can be reached, the malware will make the following GET request for a path to /publickey/,” the researcher explained in a blog post. “The current function of this data is unknown. Next, the malware sends a beacon containing the OS in a GET request…Then the malware makes a GET request to “/1/”, where a potential command is sent back to the malware.”

The malware continues to beacon afterward.

“The attackers are using a technique similar to browser hooking,” he said in the email. “To explain this technique a little more, let’s say you go to your bank website (SSL encrypted) and enter your login information, which at this point, is not encrypted. Once you submit the information to log in, the data is first encrypted (using keys from the initial SSL handshake), and sent on its way for validation.”

Advertisement. Scroll to continue reading.

“Browser hooking hooks the process, usually right before time of encryption,” he added. “Once hooked, the malware can see the data before it’s encrypted, effectively bypassing the SSL mechanism in the browser. At this point, the malware takes a copy of this data and sends a copy to a server under their control, recording the data containing usernames and passwords. This is transparent to the user and no redirects happen that the user would detect. To the user, they are still on the bank site and still encrypted with HTTPS.”

“In testing, I was able to have this malware POST a search string performed by Google, and some data was monitored from Google as well,” he said. “With this malware, it monitors for a list of banks, and if one is seen, will post the information back to the attackers’ infrastructure. With the ability to modify network traffic and successfully bypass the SSL mechanism, there’s nothing stopping the attackers from changing the code to ‘if site X, steal information’ or ‘if any site containing HTTPS, steal information’.”

To protect against the threat, he suggested in a blog post that organizations among other things check their proxy logs for traffic to Cubby and downloading zip files containing the name “documents” or “invoice” as well as blocking IPs,, and 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...