January was a busy month for the developers of Dyre/Dyreza. The group reintroduced their Upatre link spam with some additional subterfuge.
This article will explore two types of spambots that Dyre utilizes; the following diagram presents a simplified visual on how each type executes.
Differences between two current Dyre spambots.
Dyre bot operators have started to JJencode their HTML to obscure detection and have rigged the code to frequently generate a unique file—which hinders hash recognition of their work.
Example spam HTML email with Dyre link
Spam emails containing links to these JJencoded pages are sent by spambots, which the Dyre botnet drops on victim’s computers.
Spambot Type 1
In a recent distribution, ThreatTrack Labs researchers noted that these spambots were using an address of //5.104.109[.]197:13010/action.php?action=get_red to populate the URL in their templates, also grabbing a list of email targets from the same PHP script.
We’ve also seen this type of spambot using email attachments. Here are some examples of templates we encountered in January:
Subject: Barclays – Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
– Please download and complete the form with the requested details: $url$
– Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused.
(c) Copyright 2015 Barclays Bank Plc. All rights reserved.
Subject: Fax #$number6$
Fax message
$url$
Sent date: $date$
Subject: Payment Advice – Advice Ref:[GB$number5$] / CHAPS credits
Sir/Madam,
Please download document from dropbox, payment advice is issued at the
request of our customer. The advice is for your reference only.
Download link:
$url$
Yours faithfully,
Global Payments and Cash Management
HSBC
***************************************************************************
This is an auto-generated email, please DO NOT REPLY. Any replies to
this email will be disregarded.
***************************************************************************
Security tips
1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure you have
the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of
this payment as soon as possible.
*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
“SAVE PAPER – THINK BEFORE YOU PRINT!”
Subject: Employee Documents – Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: $url$
Documents are encrypted in transit and store in a secure repository
———————————————————————————
This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply
email and delete the message and any attachments.
Subject: Important information about your account
We want you to recognise a fraudulent email if you receive one. The last
four digits of your account number: XXXX$number3$.
Dear Lloyds Link Customer,
You have a new message
There’s a new message in your Internet Banking Inbox. Messages contain
information about your account, so it’s important to view them.
If you’ve chosen to use a shared email address, please note that anyone
who has access to your online bank account or email account will be able
to view your messages.
Your inbox correspondence will never be deleted.
SUBJECT
DATE
ACCOUNT DETAILS
ACCOUNT NUMBER
Important information about your account
16 January 2015
Lloyds Commercial
XXXX$number3$
PLEASE NOTE: this message is important and needs your immediate
attention.
Please click [1] here to log into Internet Banking straightaway to view
it.
Yours sincerely
Nicholas Williams,
Consumer Digital Director
Please do not reply to this email as this address is not manned and
cannot receive any replies.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN.
Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
Lloyds Bank plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential
Regulation Authority under registration number 119278.*
Links:
——
[1] http://mail.itpix.org/$url$
Subject: Important – Please complete attached form
*********************************************************************
This message has been scanned by the Bankline CSC SSM AV and found to be free
of known security risks.
*********************************************************************
Dear Customer
Please find below your Banking Form for Bankline.
$url$
Please complete Bankline Banking Form :
– Your Customer Id and User Id – which are available from your administrator if you have not already received them
Additionally, if you wish to access Bankline training, simply follow the link below
www.natwest.com/banklinetraining
If you have any queries or concerns, please telephone your Electronic Banking Help Desk.
National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your
computer.
Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
Subject: Employee Documents – Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: $url$
Documents are encrypted in transit and store in a secure repository
Subject: Fax
Fax message
Sent date: $date$
Subject: eFax $number7$
You have received a $number2$ page fax at $date$.
* The reference number for this fax is
p2_did$number0$-$number1$-$number9$-65.
Thank you for using the eFax Corporate service!
2014 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate
Customer Agreement [1].
Links:
——
[1] http://home.efax.com/customerAgreements/corp/customerAgreement.html
This is just one type of spambot that Dyre delivers.
Spambot Type 2
The second spambot type that Dyre distributes utilizes Outlook components, sending out spam with attachments of Upatre. This spambot connects to a Dyre command and control server on port 1025 to retrieve instructions.
The spam this second bot sends out is often quite concise, asking the reader to open a PDF.
For example:
Subject: unpaid invoice
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.
Defend Yourself Against Dyre
Ensure your antivirus is up-to-date to protect yourself from malicious threats. VIPRE detects spambot type 1 as Spammer.Win32.Hedsen.nfua (v), and spambot type 2 as Win32.Malware!Drop and Trojan.Win32.Spammer (fs).
The spambot MD5 hashes we used for this analysis are:
Spambot 1:
123600880d7967a7f66e57ba6cc63afd
3ad05ecf24af3fcff44977bac52d5ade
3cb67aa02cbf9b79a6961869cb74ae75
6157ac79d40503a6c103b09bc39c147e
7ff3aac9cf4acf03e1c39312f32b6691
9deac055439fab5904860947608c101f
abbff948641d8833ec88d389ad105bf5
b3b8a66e806282e7cee6130fe46bb992
b9f9ba2889ebf0c32c4febd3116f84e4
c499e0053fb50b336c5c6775bef56b29
e7e00279e97c89ae29516967146c64c5Spambot 2:
d9a3d5c3c06f3429b65db7b84b50bed4
4df95e133ed489ef4f0736eabb16ba2e
Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs
Photo Credit: Ben Goddard, Technical Writer, ThreatTrack Security
The post Dyre Spambots Use JJencode to Broaden Distribution appeared first on ThreatTrack Security Labs Blog.