Researchers at PhishMe have spotted a new strain of malware being used in an attack campaign that swipes bank credentials and circumvents SSL.
The malware is known as Dyre. According to Phishme, the attackers using the malware are the same ones linked to an attack campaign seen using Dropbox links earlier this month.
“The attackers have shifted tactics, and are now using the service Cubby (Dropbox competitor by LogMeIn) as a new place for hosting their malware,” PhishMe’s Ronnie Tokazowski told SecurityWeek in an email.
The attacks come via email, with the examples seen by PhishMe coming in the form of messages with subjects like ‘Re: Invoice #1006501’ and ‘Your FED TAX payment (ID:418IRS971175699) was Rejected’. The malware downloads as a screen saver file inside of a zip file. Once the user opens the zip file and runs the .scr file, the malware beacons out to several hardcoded IP addresses, according to Tokazowski.
“Once the IP addresses can be reached, the malware will make the following GET request for a path to /publickey/,” the researcher explained in a blog post. “The current function of this data is unknown. Next, the malware sends a beacon containing the OS in a GET request…Then the malware makes a GET request to “/1/”, where a potential command is sent back to the malware.”
The malware continues to beacon afterward.
“The attackers are using a technique similar to browser hooking,” he said in the email. “To explain this technique a little more, let’s say you go to your bank website (SSL encrypted) and enter your login information, which at this point, is not encrypted. Once you submit the information to log in, the data is first encrypted (using keys from the initial SSL handshake), and sent on its way for validation.”
“Browser hooking hooks the process, usually right before time of encryption,” he added. “Once hooked, the malware can see the data before it’s encrypted, effectively bypassing the SSL mechanism in the browser. At this point, the malware takes a copy of this data and sends a copy to a server under their control, recording the data containing usernames and passwords. This is transparent to the user and no redirects happen that the user would detect. To the user, they are still on the bank site and still encrypted with HTTPS.”
“In testing, I was able to have this malware POST a search string performed by Google, and some data was monitored from Google as well,” he said. “With this malware, it monitors for a list of banks, and if one is seen, will post the information back to the attackers’ infrastructure. With the ability to modify network traffic and successfully bypass the SSL mechanism, there’s nothing stopping the attackers from changing the code to ‘if site X, steal information’ or ‘if any site containing HTTPS, steal information’.”
To protect against the threat, he suggested in a blog post that organizations among other things check their proxy logs for traffic to Cubby and downloading zip files containing the name “documents” or “invoice” as well as blocking IPs 220.127.116.11, 18.104.22.168, and 22.214.171.124.