Security researchers investigating the recent phishing campaigns abusing Dropbox have have noted that the attackers have moved on to employing a rival service Cubby for their operations, and have also discovered a new malware strain that was previously unidentified.
“When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part,” wrote Ronnie Tokazowski. “However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named Dyre.”
This researchers say the new strain is capable of bypassing the SSL protections in browsers in an effort to steal targets’ bank credentials.
“The malware downloads as a screen saver file inside of a zip file. Once the user opens the zip file and runs the .scr file, the malware beacons out to several hard coded IP addresses,” Tokazowski said. “Once the IP addresses can be reached, the malware will make the following GET request for a path to /publickey/. The current function of this data is unknown.”
The malware then transmits a beacon containing the OS in a GET request, and a second GET request is sent where a potential command is sent back, and the malware continues to beacon, presumably to let the attackers know it is executing.
“At this point, the malware kept beaconing out with the same ‘I’m alive’ beacon, and no other data was being pulled down. Wanting to entice the malware to do a little more, I opened Firefox, directed the browser to Google and was amazed at what happened next,” Tokazowski continued.
A POST request goes out to the attackers and Tokazowski said he could see that the search query was being presented to them at that point, so encryption had been bypassed, and the session could be hijacked because a cookie is also passed, “allowing the attacker to log in as that user if they so desired.”
“Here’s the kicker. All of this should be encrypted and never seen in the clear. By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” Tokazowski said.
Read More Here…