Skip to content ↓ | Skip to navigation ↓

In the spring of 2014, researchers at the Center for Strategic and International Studies identified a powerful strain of banking malware whose code functions similarly to that of ZeuS.

The malicious software, now formally known as Dyreza, hooks into Internet Explorer, Chrome and Firefox, at which point in time it harvests sensitive data whenever users visit the websites of targeted major banks, including Bank of America and Citibank.

Last fall, Dyreza also used phishing emails in an attempt to steal the login credentials of Salesforce administrators.

For each of its campaigns, as noted in the research of two security analysts for Talos Group, the malware has either hardcoded its URLs when communicating with its command and control (C&C) servers or (more recently) employed a domain generation algorithm. Both of these tactics fool automated tools – one of four common tactics used by malware to evade detection.

It would now appear that Dyreza has incorporated some additional features to increase its reach and efficiency.

According to a post published on Heimdal Security’s blog, the malware’s newest variant can collect banking data from the Microsoft Edge web browser. It also includes support for Windows 10 and as such can enlist users of the Microsoft platform into a botnet.

windows 10 dyreza
Source: Heimdal Security

These new functionalities, Heimdal explain, factor into the way in which Dyreza is designed:

“As it happens more and more often with financial malware, Dyreza is also a ‘Crime as a Service network’ that anyone can buy into,” the web security firm observes. “To make it even more appealing – and, consequently, financially viable – the makers have also predefined a group of targets in the code configuration file. The targets are typically online banking websites. All cyber criminals have to do is buy the malware and deploy it. This is how low-tech attackers can target more unsuspecting victims and harvest their financial information to get into their bank accounts, while malware creators reap the financial benefits of massively selling the malware kits.”

Most Dyreza infections begin with a “spray and pray” campaign, a spamming operation that as noted by International Business Times targets random users and attempts to install the malware using the Upatre downloader.

Once it has been installed on a machine, the malware steals users’ banking information and enlists their computers into a botnet. Some 80,000 machines have all ready been infected, but that number is expected to grow in the coming weeks.

Indeed, with Black Friday and the holiday season just around the corner, Heimdal anticipates that users who are busy and prone to multitasking will choose convenience and sales over safety, which could lead to additional Dyreza infections.

At the same time, Dyreza has created two new modules – “aa32” (x86) for 32 bit or “aa64” (x64) for 64-bit – that attackers can use to terminate a number of processes associated with endpoint security software.

These toolsets help the malware to achieve a high distribution rate among potential victims and a low detection score among anti-virus providers, thereby assisting the trojan’s creators to prolong their presence on an infected machine.

Since the publication of Heimdal’s post, Microsoft has updated its information on Dyreza in a manner that corroborates the security firm’s findings, as reported by ZDNet. The tech giant is currently working to harden Edge against web attacks and malware.

In the meantime, it is alerting users to two telltale signs that might indicate a Dyreza infection. These are:

  • The presence of two files: “%APPDATA%\local\[random aplha numeric characters].exe” and/or “%APPDATA%\local\[random aplha numeric characters].exe”.
  • Sudden prompts by their firewall to allow higher access privileges to programs such as “explorer.exe” and “svchost.exe”.

To learn how you can protect yourself against a Dyreza infection, please click here.

Title image courtesy of ShutterStock