Close Menu
Technotification
    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    Technotification
    • Home
    • News
    • How To
    • Explained
    • Facts
    • Lists
    • Programming
    • Security
    • Gaming
    Technotification
    Home › Security › New Banking Trojan ‘DYRE’ allows to bypass SSL protection – CSIS

    New Banking Trojan ‘DYRE’ allows to bypass SSL protection – CSIS

    By Vikram Singh RaoJune 17, 2017
    Facebook Twitter Reddit LinkedIn
    Remote access Trojan RAT x
    DYRE Trojan

    CSIS and PhishMe Researchers recently uncovered a new type of banking malware, called Dyre or Dyreza, that’s designed to bypass SSL protection and steal banking credentials.

    On June 13, 2014, PhishMe researchers warned of a new malware strain they called Dyre, being delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice.”

    The emails contain links to files on LogMeIn’s Cubby.com file storage service. “Since Dropbox has been quick to block phishing links, the attackers needed a new legitimate service,” noted PhishMe’s Ronnie Tokazowski.

    Click on the link in the email, and you’ll download a zip file. Open the zip file, and it installs the malware, which monitors all of the victim’s browser traffic, including SSL traffic, with the aim of stealing and uploading online banking login credentials.

    “[Bank credentials] should be encrypted and never seen in the clear,” Tokazowski wrote. “By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality, your traffic is redirected to the attackers’ page. To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking.”

    On June 16, 2014, CSIS researchers reported that the attackers are using money mules based in Riga, Latvia, and appear to be planning a new phishing campaign disguised as a Flash Player update. “Still, it’s unclear if this is provided as a ‘Crime as a Service’ or if it’s a full circle criminal outfit,” noted CSIS partner and security specialist Peter Krause.

    Krause told Dark Reading that the malware seems to represent a new banker Trojan family, unrelated to the Zeus Trojan. “One of the biggest differences between Zeus and Dyre is how communication with the command-and-control infrastructure takes place,” he said. “With Zeus, data is usually encoded or encrypted, then passed back as raw binary data. With Dyre, the data is POSTed in the clear, making detection for enterprises with IDS capabilities very straightforward.”

    But that may well change in the near future. “Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author,” Krause said.

    Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, told cyber security news website eSecurity Planet by email that the threat from Dyre is being enabled at least in part by the blind trust too many users have in SSL/TLS. “In fact, 40 percent of mobile online banking applications are estimated to be vulnerable to man-in-the-middle (MITM) attacks without any cybercriminal effort,” he said.

    PhishMe recommends taking the following five steps to mitigate the threat from Dyre:

    1. Remove the phishing emails from inboxes
    2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice”
    3. Search for traffic / block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61
    4. IDS rules looking for double POST within a short period of time (this will catch copycats, too)
    5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc)

    Sources: PhishMe, CSIS, eSecurityPlanet
    Share. Facebook Twitter LinkedIn Tumblr Reddit Telegram WhatsApp
    Vikram Singh Rao
    • Website
    • Facebook
    • X (Twitter)
    • LinkedIn

    I am an entrepreneur at heart who has made his hobby turned a passion, his profession now.

    Related Posts

    The Psychology of a Phishing Email: How Scammers Play with Your Mind

    July 16, 2024

    9 Essential Elements of a Strong Cyber Security Management System

    July 3, 2024

    Common Cyber Attacks and How to Prevent Them

    July 3, 2024

    How Cyber Security Paid Training Prepares You for Real-World Threats

    June 13, 2024

    The Role of Security in Server Colocation Environments

    March 12, 2024

    Navigating the Waters: Best Practices for Phishing Testing in 2024

    February 19, 2024
    Lists You May Like

    10 Best RARBG Alternative Sites in April 2025 [Working Links]

    April 1, 2025

    10 Sites to Watch Free Korean Drama [2025 Edition]

    January 2, 2025

    The Pirate Bay Proxy List in 2025 [Updated List]

    January 2, 2025

    10 Best Torrent Search Engine Sites (2025 Edition)

    February 12, 2025

    10 Best GTA V Roleplay Servers in 2025 (Updated List)

    January 6, 2025

    5 Best Torrent Sites for Software in 2025

    January 2, 2025

    1337x Alternatives, Proxies, and Mirror Sites in 2025

    January 2, 2025

    10 Best Torrent Sites for eBooks in 2025 [Working]

    January 2, 2025

    10 Best Anime Torrent Sites in 2025 [Working Sites]

    January 6, 2025

    Top Free Photo Editing Software For PC in 2025

    January 2, 2025
    Pages
    • About
    • Contact
    • Privacy
    • Careers
    Privacy

    Information such as the type of browser being used, its operating system, and your IP address is gathered in order to enhance your online experience.

    © 2013 - 2025 Technotification | All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.