A Closer Look at DYRE Malware, Part 2

In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.

The Parcel and the Mule

During our analysis of DYR malware, Global BlackPoint, a web panel, was uncovered.

Figure 1. Global BlackPoint site

A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.

Figure 2. Items for sale

However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.

Figure 3. Terms and conditions

These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.

This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.

Retracing the Steps

In short, we have a three-step threat story:

  • One possible entry point is spammed commercial or banking email. The main objective is to get lots of people to click on the malware component, and infect as many.
  • These components would get a secondary infection, another malware, to get another component. We call this TSPY_BANKER.DYR, otherwise known as DYREZA, DYRANGES or BATTDIL. The objective here is to grab banking credentials for money.
  • Once money has been pilfered, these goods are delivered to package mules which re-ship these goods for delivery to locations outside the United States. This kind of operations is classically called parcel mule scam or reshipping scam.


Against spam and BANKER malware:

  • Know your bank policies. If you receive an email and don’t have an account in the said bank, it’s not worth reading, delete it immediately. You can also call the nearest branch if you want to validate details.
    • If you’re reading mail via a web browser (web mail), try to make sure that the mail hosting service is reliable enough and has some sort of built-in anti-spam and anti-phishing capabilities.
    • If you’re reading email via an email client, most would have security features turned on by default. Use them to secure your email reading.
    • The use of an antivirus with web reputation services to block any suspicious link and attachment is also recommended.
  • A full-featured antimalware solution is the best tool against this type of threat scenario. The solution should be able to block malicious files based on signature and behavior and has a firewall to filter inbound and outbound connections. It would be better if it offers client-side utilities like spam and URL filtering. A cloud-based solution is also ideal, in order to have the most up-to-date protection.
  • In unfortunate cases of infection, it’s better to stop it as early as you can. Change passwords immediately and monitor your online banking transactions. If you spot any suspicious activity, call your bank immediately.

Against parcel mule scams:

  • Work-from-home jobs certainly exist but if they sound too good to be true, check and double-check them first. It’s important to always research the business trying to recruit you, even when in dire need.
  • Be informed about parcel mule scams. The U.S. Postal Inspection Service has a page about reshipping scams.
  • Victims of such scams can file a complaint with the Internet Crime Complaint Center (IC3), which processes online crime complaints from victims and third parties.

With additional insight from Rhena Inocencio.

Related hashes of files discussed in this series:

  • 4FD6C74EE50CA470869D8FAB1AB2C3D1C19E20CE
  • 145c82caa303bd141fd6069ab92fefdfac3568bc
  • e32ef7def60a8ccc0c051182f2103dbbfe6de625
  • B2CAF5A18279C1CB10DA174C581A7138FF8B0CF2
  • B9F3D4C1531F128AB032EA6D752BAB008EC59921

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

A Closer Look at DYRE Malware, Part 2

Read more: A Closer Look at DYRE Malware, Part 2

Story added 10. October 2014, content source with full text you can find at link above.