FREMONT, CA: IBM discovers malware that steals funds from banks. A new variant of the Dyre (Dyreza) financial malware targets numerous financial institutions by infusing sophisticated propagation and evasion techniques. The report from IBM suggests the new version of the malware (DYRE) targets 355 websites belonging to banks and Bitcoin wallets.
The DYRE Malware Modus Operandi
The users targeted through this malware will be affected only if they click an attachment or URL in a phishing email. Once the lightweight Trojan downloaded called Upatre – embedded in the phishing email – is opened, it will download the malware which upon execution will inject itself in the svchost.exe process, the IBM report says.
“The malware also spawns a hidden instance of Internet Explorer and makes several web requests including creating a private Invisible Internet Project (I2P) network (basically a DARKNET) to anonymously exfiltrate data,” reports David Mcmillen, Senior Threat Researcher, IBM.
The malware (DYRE) when installed will download additional malware that can compose email messages automatically in Microsoft Outlook with the DYRE malware attached using the msmapi32.dll library to perform email-related functions such as login, send Mail, attachments.
“The malware used by this latest variant of Dyre doesn’t send spam emails to the victim’s contacts, instead it uses email addresses passed by the C&C server. Once the emails are sent, the malware deletes itself,” adds Mcmillen.
The malware has been found to have modified clients’ online banking profiles to enable international money transfer. “It has been reported that 90% of international transfer activations were not customer initiated as a result of Dyre infections,” the IBM report said.
Evading the DYRE Consequences
To prevent DRYE attack, IBM recommends: users should use a solution that includes inbound email sandboxing; analyze and inspect web traffic in real-time. Employees are required to use Virtual Private Networks (VPNs.)