On June 13, 2014, PhishMe researchers warned of a new malware strain they called Dyre, being delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice.”
The emails contain links to files on LogMeIn’s Cubby.com file storage service. “Since Dropbox has been quick to block phishing links, the attackers needed a new legitimate service,” noted PhishMe’s Ronnie Tokazowski.
Click on the link in the email, and you’ll download a zip file. Open the zip file, and it installs the malware, which monitors all of the victim’s browser traffic, including SSL traffic, with the aim of stealing and uploading online banking login credentials.
“[Bank credentials] should be encrypted and never seen in the clear,” Tokazowski wrote. “By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality, your traffic is redirected to the attackers’ page. To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking.”
On June 16, 2014, CSIS researchers reported that the attackers are using money mules based in Riga, Latvia, and appear to be planning a new phishing campaign disguised as a Flash Player update. “Still, it’s unclear if this is provided as a ‘Crime as a Service’ or if it’s a full circle criminal outfit,” noted CSIS partner and security specialist Peter Krause.
Krause told Dark Reading that the malware seems to represent a new banker Trojan family, unrelated to the Zeus Trojan. “One of the biggest differences between Zeus and Dyre is how communication with the command-and-control infrastructure takes place,” he said. “With Zeus, data is usually encoded or encrypted, then passed back as raw binary data. With Dyre, the data is POSTed in the clear, making detection for enterprises with IDS capabilities very straightforward.”
But that may well change in the near future. “Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author,” Krause said.
Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, told cyber security news website eSecurity Planet by email that the threat from Dyre is being enabled at least in part by the blind trust too many users have in SSL/TLS. “In fact, 40 percent of mobile online banking applications are estimated to be vulnerable to man-in-the-middle (MITM) attacks without any cybercriminal effort,” he said.
PhishMe recommends taking the following five steps to mitigate the threat from Dyre:
1. Remove the phishing emails from inboxes
2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice”
3. Search for traffic / block the IPs 220.127.116.11, 18.104.22.168, and 22.214.171.124
4. IDS rules looking for double POST within a short period of time (this will catch copycats, too)
5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc)