This past week, we have observed a wave of spam e-mails being sent to random addresses and containing a short link to a compromised webserver, on which a malicious file is hosted.
In case the victim is fooled to click on the link, it will serve up a zip-file, e.g. “Documents.zip”, “Document-[random numbers].zip”, “eFax -[random numbers].zip” or “CompaniesHouse-[random numbers]”, which when unzipped and run will infect the system with the downloader known as Upatre. As next, it will fetch and execute Dyreza, a recently discovered trojan banker malware, which is downloaded from a list of URLs specified in the downloader.
The e-mail lures are subjects such as:
Important docs
You have a new Secure Message
You’ve received a new fax
They come spoofed, so that they appear to arrive from several banks primarily in the UK. The links are shortened using the legit service: “goo.gl” which redirects to e.g.:
http://ste-fun.ovh.org/Documents.zip
http://www.zespolpik.pl/Documents.zip
[…]
As previously mentioned, the code is “Upatre”, which, when executed, will drop itself to the system as: LOCALS~1Tempwrzjs.exe.
It then makes several HTTP GET requests to download the main payload:
auinvest.eu/cennik/img/1118.zip
marc-heinisch.de/kalender/1118.zip
auinvest.eu/cennik/heap.zip
smartsync.com/order/invoice/heap.zip
www.gestski.com/cqc/Pre.zip
smartsync.com/order/sveta/Pre.zip
Current Dyreza C&C is located at OVH: 94.23.247.202.
More info on Dyreza:
https://www.csis.dk/en/csis/news/4262/