The latest variant of Dyreza/Dyre, just analyzed in our lab, contains several new targets in its configuration file.
The most interesting fact is that Dyreza now also target several banks in Switzerland. The latest targets (sorted by diff) added to its configuration can be observed below:
The most recent campaigns observed have arrived as spam e-mails to victims with a PPT attachment that exploit a vulnerability: CVE-2014-4114, also known as “Windows OLE Remote Code Execution Vulnerability”. As a sidenote this exploit was first seen abused in Sandworm APT attacks against Poland and Ukraine. If the software is not updated, arbitrary code is executed and Dyreza is then downloaded to the host and run.
As previously stated, Dyreza is oftentimes delivered through spam e-mails. We have seen various content:
Subject(s):
Unpaid invoic
New bank details
Invoice #[7 random numbers]
Content example:
Attached is the invoice received from your bank.
Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to payroll.invoices@adp.com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc.
1 ADP Boulevard
Roseland
NJ 07068
[..]
Attachment(s):
Invoice[6 random numbers].pdf (PDF exploit -> CVE-2013-2729)
bank details.zip -> bank details.exe (Upatre)
Invoice-[6 random numbers].zip -> Invoice-[6 random numbers].scr (Upatre)
ADP-invoice.pptx (CVE-2014-4114)
Heimdal Security Agent, a free patch management tool (https://heimdalsecurity.com), will automatically update any vulnerable Adobe installations as well as several other third party products used in the wild to plant malware on Microsoft Windows hosts. Patching vulnerable software will prevent the code from running even if the user opens the attached maliciously crafted PDF document.
Dyreza installs itself as a service “Google Update Service (googleupdate)” and thus gets executed each time the system is rebooted:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate=”DisplayName”
Type: REG_SZ
Data: Google Update Service
On Microsoft Windows 7, it injects itself into explorer.exe process and hooks the browser. A slightly different approach is used on older Windows versions, on which it injects into the svchost.exe process instead.
OVH and Dyreza C&C
We couldn’t help noticing that most of the C&Cs of Dyreza are hosted at OVH in France:
We have previously posted technical details on Dyreza. For details see:
“New banker Trojan in town: Dyreza”
https://www.csis.dk/en/csis/news/4262/
Just recently US-CERT has issued a warning for Dyreza:
“Phishing Campaign Linked with “Dyre” Banking Malware”
https://www.us-cert.gov/ncas/alerts/TA14-300A