A Closer Look At DYRE Malware, Part 1

We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:

  • We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
  • We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.

This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’  These people typically fall on this scam because of its ‘get rich easy’ nature.

All About DYR 

This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:

  • It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
  • It steals bank credentials and monitors sessions involving online transactions to specific banks.
  • It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
  • It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).

    Figure 1. Screencap of STUN method

  • It also has the capability download a VNC module.

A look into its network profile confirms details of the routines mentioned above:

  • Connections to C&C servers at Port 443, with a defined string format
  • Connections to STUN Servers
  • Accepting inbound connections
  • Although not presented in the screen capture below, the user agent being used is Opera/9.80

Figure 2. Network profile for TSPY_BANKER.DYR

The Entry Point
We now know what this malware does but how does it enter and infect a system?

Looking at the C&C server connection (Port 443), the port is HTTPS, meaning a certificate involved in the network transaction. After extracting the certificates from the packet captures, we were able to get two certificates. The first certificate claims to be Google. Compared to the real Google certificate, you can see the differences between the two.

Figure 3. Fake Google certificate

Figure 4. Authentic Google certificate

Meanwhile, the second certificate contains a specific set of values that is actually the default data entry when constructing a self-signed certificate via OpenSSL.

Figure 5. Second suspicious certificate

Figure 6. Default data entry

With the design of SSL and HTTPS, one of the attributes of a trustworthy website would require a real certificate validated by a trusted certificate authority (CA). The use (or reuse) of the same certificates as presented above clearly indicates that the sites themselves aren’t trustworthy.

Similar Suspects

We decided to cross-reference the reuse of these certificates and other website accesses of the same nature on different malware. We came up with two files that we detect as TSPY_ZBOT.WCDA and TROJ_UPATRE.WCDA. We then checked if they would have similarities to our original malware, TSPY_BANKER.DYR, by looking at the network activity of both files.

Figure 7. Network activity of a system infected with TSPY_ZBOT.WCDA

We also checked the HTTP headers to determine anything else and we saw an HTTP GET request to C&C servers.

Figure 8. HTTP Get request

There are some striking similarities with the network activity above, namely:

  • TSPY_BANKER.DYR has connections to STUN servers, similar to TSPY_ZBOT.WCDA
  • TSPY_BANKER.DYR has similar connections with the malware name/version in the HTTP/S request of TROJ_UPATRE.WCDA and other related URL strings
  • Both sets would attempt to use fake user-agent strings for outbound communication
  • Fake HTTP/S certificate reuse on both instances

The Spam Connection

Routines aren’t the only similarities between TSPY_BANKER.DYR and TSPY_ZBOT.WCDA and TROJ_UPATRE.WCDA. They also share the same method of arrival. We cross-referenced this kind of malware payload during the same time-frame and came across this spammed email.

Figure 9. Sample spammed email

This email pretends to be from the Royal Bank of Scotland (RBS). Analysis reveals the following noteworthy items:

  • It comes with RBS_Account_Documents.zip as an attachment. When extracted, it becomes a PDF icon called RBS_Account_Documents.scr. This file is detected as TROJ_UPATRE.WCDA.
  • The secondary file that is dropped is jiubl.exe, which we detect as TSPY_ZBOT.WCDA.
  • In fact, the HTTP GET request /ProfilePics/0809uk1.zip (seen in Figure 8) can somehow be deduced:
    • 0809 – which may be probably equated to September 8th, the date for which we’ve seen all of these malware and spam artifacts
    • UK – which may stand for United Kingdom – roughly the location of RBS headquarters

Is infection the last step for DYR malware? Hardly. Aside from stealing banking credentials, DYR malware is also involved with another threat—parcel mule scams. Details of this will be discussed in the second part of this entry.

With additional insight from Rhena Inocencio.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

A Closer Look At DYRE Malware, Part 1

Read more: A Closer Look At DYRE Malware, Part 1

Story added 8. October 2014, content source with full text you can find at link above.