CIS CYBER ALERT

DATE ISSUED:
10/16/2014
01/16/2015
02/23/2015 - Updated

SUBJECT:
Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan

CIS continues to receive reports of massive spam campaigns targeting SLTTs and other sectors. Dyre is known as a banking trojan similar to Zeus/Citadel, specifically looking to harvest banking credentials to engage in financial fraud. However, newer variants have been observed, which include the ability to harvest credentials for career related sites, such as monster[.]com and careerbuilder[.]com. Other additional sites that are now being targeted include newegg[.].com, mailchimp[.]com, godaddy[.]com and accurint[.]com. The harvesting of MailChimp credentials is likely a means of either collecting more email addresses or to compromise accounts and allow the attackers to send phishing emails from a supposedly trusted sender. The GoDaddy harvesting is likely for the creation of new, malicious domains or the modification of existing domains for malicious purposes. The accurint[.]com credentials would be useful to the attacker for accessing the LexisNexis database, allowing them access to a large repository of public record information.

 

The initial versions of Dyre were spread by the Upatre trojan downloader, which was observed also downloading mass mailer worms like Cutwail along with password and contact harvesting trojans like Kegotip. The updated version of Dyre is still initially distributed through the Upatre downloader, but, once downloaded, it appears the Dyre trojan itself is now responsible for the downloading of the the mass mailing trojan being used. This mass mailing trojan is now using Outlook’s msmapi32.dll library for mail functionality and downloads its list of contacts from C2 servers. When the contacts have been received, it will send phishing emails with the Upatre trojan downloader as an attachment to further propagate the malware.

 

Phishing emails used in the campaigns contain a variety of lures including links to sites hosting malware and malicious attachments. Currently AV products are detecting this malware as Trojan Upatre/Dyre/Zbot. The malware continues to evolve requiring AV vendors to update signatures regularly.

 

Phishing Email Characteristics:

 

Below is a list of subject lines observed in 2015 Dyre phishing campaigns:

 

  • “Wire transfer receive”
  • “Medicines here”
  • “Complaint against your company”
  • “Payment Advice - advice Ref:[xxxxxx]/CHAPS credits”
  • “Company report”   - (note the missing t in “report")
  • “Wire transfer complete”
  • “Important – New Outlook Settings”
  • “Your Document” - (note the missing t in “Document")
  • “Voice Message”
  • “Employee Documents – Internal Use”
  • “Fwd Wire Payment”

 

 

System Level Indicators (If successful in exploitation):

 

  • Copies itself under C:\Windows\[RandomName].exe
  • Created a Service named ""Google Update Service” by setting the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service" 

 

Networking Functionality:

 

The Dyre trojan will initially attempt to contact its C2 servers using an encrypted SSL connection. If this connection fails, it will attempt to establish a connection using addresses generated using a domain generation algorithm (DGA) or hardcoded Invisible Internet Project (I2P) addresses.

 

Network Level Indicators: 

 

Initial malware downloads (links from phishing emails without attachments):

 

  • hxxp://afreshperspective\.com/js/jquery-1.41.15.js (IP: 50.87.63\.202)
  • hxxp://beyondprintfinishing\.com/js/jquery-1.39.15.js?get_message=[random numbers] (IP: 216.251.43\.11)
  • hxxp://crts\.ro/js/jquery-1.41.15.js (IP: 89.42.216\.133)
  • hxxp://ep.nelsonmandelabay\.gov.za/DOCUMENT~STORAGE_DATA/get.last_invoice.html (IP: 41.191.89\.2)
  • hxxp://imisnc\.it/js/jquery-1.41.15.js (IP: 92.60.66\.184)
  • hxxp://moda-arad\.ro/js/jquery-1.39.15.js?get_message=[random numbers] (IP: 86.35.15\.215)
  • hxxp://beyondprintfinishing\.com/js/jquery-1.39.15.js?get_message=[random numbers] (IP: 216.251.43\.11)
  • hxxp://tls\.ro/js/jquery-1.39.15.js?get_message=[random numbers] (IP: 86.35.15\.212)
  • hxxp://y-design.promagnumcorp\.com/js/jquery-1.39.15.js?get_message=[random numbers] (IP: 69.89.27\.218)
  • hxxp://www.rosewoodmanor\.org/js/jquery-1.41.15.js (IP: 216.113.194\.26) 

 

Payload downloads:

 

  • hxxp://aaepablog\.com/aaepa/inst_s12.pdf (IP: 50.87.144\.171)
  • hxxp://acmeeconnect\.com/dropbox/ml1from2.tar (IP: 107.190.133\.12)
  • hxxp://aixact\.com/Docs/ml1from2.tar (IP: 213.186.33\.19)
  • hxxp://allcommerc\.com/wp-includes/pomo/eulaa.pdf (IP: 62.149.144\.49)
  • hxxp://www.onoranzefunebricarrara.it/public/eulaa.pdf (IP: 62.149\.128\.151, 62.149.131\.204)
  • hxxp://angkosoteknologi\.co.id/fonts/manualac.pdf (IP: 23.92.215\.218)
  • hxxp://cgksolutions\.com/files/manualac.pdf (IP: 62.149.128\.166, 62.149.140\.202)
  • hxxp://creazionidarte\.it/mandoc/seo21.pdf (IP: 62.149.128\.74, 62.149.131\.67)
  • hxxp://cwvancouver\.com/cp/images/digits/arrowu.jpg (IP: 71.18.62\.202)
  • hxxp://dipford\.com/mandoc/info22.pdf (IP: 209.235.144\.9)
  • hxxp://dms-online-files\.com/pdfs/prewa.pdf (IP: 206.188.192\.13)
  • hxxp://ettfire\.com/js/ml2from2.tar (IP: 66.175.58\.9)
  • hxxp://gumtek\.com/wp-includes/pomo/sw_docb.pdf (IP: 50.87.148\.213)
  • hxxp://harveyouellet\.com/TOXICOUSTIQUE/arrowu.jpg (IP: 192.185.35\.92)
  • hxxp://houndsofcullen\.com/mandoc/eula022.pdf (IP: 198.136.54\.104)
  • hxxp://manualtatex\.com/mandoc/eula022.pdf (IP: 69.49.115\.33)
  • hxxp://marodz.republika\.pl/1/manualec.pdf (IP: 213.180.150\.17)
  • hxxp://metflex.uk\.com/images/t_image.jpg (IP: 91.103.217\.10)
  • hxxp://tickto\.com/apk/ml1from2.tar (IP: 50.23.103\.91)
  • hxxp://posharpstore\.com/Google/ml1from2.tar (IP: 162.254.162\.184)
  • hxxp://utokatalin\.ro/administrator/ml2from2.tar (IP: 86.106.30\.102)
  • hxxp://vimax-marireapenisului\.ro/docuv.pdf (IP: 195.78.124\.14)
  • hxxp://rx-liquid\.ro/docuv.pdf (IP: 195.78.124\.14)
  • hxxp://washcount\.org/Documentation/file_u21.pdf (IP: 216.224.135\.21)
  • hxxp://www.geothermole\.com/mandoc/gb_eule.pdf (IP: 81.21.76\.62)
  • hxxp://www.wholesalesyntheticmotoroil\.com/mandoc/story_su21.pdf (IP: 192.163.217\.66)
  • hxxp://zac-buero\.de/mandoc/ml1from1.tar (IP: 78.143.39\.41)
  • hxxp://best-synthetic-motor-oil\.com/file_k12.pdf (IP: 192.163.217\.66) 

 

C2 IPs:

 

  • 109.236.84\.101
  • 178.47.141\.100
  • 202.153.35\.133
  • 31.43.236\.251
  • 92.240.99\.70
  • 94.41.208\.125 

 

Please note that the Domain and IP indicators above were observed during our analysis and the list does not represent all network indicators for this campaign.

 

Recommendations:

  • Implement filters at your email gateway for filtering out emails with known Dyre subject lines.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Block and log attempted connections to malware download site, payload download sites and C2 infrastructure.