[email protected] +603-2181 3666
Dyre Malware Revisited
June 8, 2015
0

In the April 7 issue of our Advisory, we wrote about Dyre banking malware that were used in phishing campaigns across the globe. Unfortunately, this threat hasn’t abated.

Dyre malware was first profiled last year. Since then it has grown from strength to strength, posing a threat to not just to Europe and North America but also to Japan and Asia Pacific.

DYRE-UPATRE-infection-02

In the final quarter of 2014 only 4,000 Dyre infections occurred.  In first quarter of 2015 the figure was a staggering 9,000 infections. 39 percent of infections were linked to European users, while 38 percent were North American users. There has been a 125% increase of Dyre-related infections worldwide this quarter compared to the last, proving without a doubt that cybercriminals’ interest in online banking has continued to grow.

In the traditional for cyber attack logic, criminals will target the easiest ones. Today, the attack profile has changed. The best cybercriminals in Eastern Europe will try to break into the most secured banks or the ones most difficult to break into. If they succeed, their “reward” is much greater. As Chief Security Officer at Trend Micro said, “They’re all about if I can take down the top piece of fruit; I can take down the whole tree.”

As Europe’s strict regulations make their banks’ security tighter than that of American and Asian banks, breaking into them would be a boost to cybercriminals and not to mention the “rewards” awaiting them.

Instead of only relying on European and American banks, these criminals are now turning their sights to Asia Pacific and Japan region by way of spammed messages. Within the first week of May this year, 44 percent of users In Asia Pacific were targeted Dyre-infected emails.

DYRE-UPATRE-infection-07

 

 

To make matters worse, a new version of Dyre malware was discovered in a spam run that allows the malware to avoid detection. The malware utilizes UPATRE, which is known as the downloader (see Definition) or middleman malware of sorts.

This time UPATRE has become more than just a downloader of other malware. It can now disable detection thus ensuring the easy download of Dyre and other malware into users’ system. This results in the disabling of firewall/network-related security by modifying registry entries and stopping related services. If this isn’t enough, it also disables Windows default anti-malware feature. This allows the malware to stay on the victim’s system for a longer period of time and to do more harm.

The UPATRE spam content follows a typical social engineering technique. It creates fear in the recipients and causes them to open an email attachment to find out about a non-existent law that supposedly doubles their tax. As we all know, when it comes to tax we tend to believe it is true and succumb to that ruse.

 

Recommendation

  1. Know your banking policies.
  2. Download and install a full-featured antimalware solution.
  3. Change passwords.
  4. Monitor online banking transactions in case of infections.
  5. Alert the bank when you spot suspicious transactions.

 

Definition

Downloader – software that may download malware to a computer system.   It also can be adware software.

 

Source

  1. SC Magazine.
  2. Trend Micro blog.

 

The Week That Was

 

  1. Silk Road founder jailed for life. The founder of the hidden online marketplace, Ross Ulbricht, was jailed for life without the possibility of parole. It became the sales vector of choice for drug dealers around the world. Aside from drugs, other illegal material and services, such as stolen online login details were sold through the site.
  2. “Marauders Map” can track your location through Facebook Messenger. A chrome browser extension developed by a Harvard College computer science student, Aran Khanna, allows people to pinpoint and track the location of Facebook Messenger users. It can track someone within one metre.
  3. Personal info of over million Japanese pensioners stolen. Personal information of 1.25 million pensioners has been compromised following a successful breach of the Japan’s Pension Service. Hackers were able to do this when one of the service’s staff opened an attached virus in a spear-phishing email.
  4. Malvertising (Malicious Advertising) infected millions of users in 2015. We are only half-way through the year, and cybercriminals are busy at work with malvertising. Malicious adverts placed on popular websites including The HuffingtonPost, Answers.com and daily Motion have exposed millions of users to zero-day attacks.
  5. Employee credentials in Europe exposed. A Web intelligence firm has reported that 49 percent of Europe’s largest companies have had employee credentials exposed online. This is due to weak passwords, default passwords not changed and employees’ use of work email account to register for a Web-based service.