Microsoft Subnet An independent Microsoft community View more

Dyre banking trojan tweaked to spread Upatre malware via Microsoft Outlook

The U.S. is most affected by a new variant of Dyre that hijacks Microsoft Outlook to spread malware. But it's not just banks or bitcoin wallets being targeted as the University of Florida was a victim of Dyre/Upatre attack.

Malware
Credit: Lee Davy

Be warned, Drye and Upatre are under constant development including new and improved evasion and propagation techniques.

Dyre, the Zeus-like banking Trojan, made news in June when it bypassed SSL and targeted some of the largest global banks. By September, Dyre not only targeted financial accounts but also stole credentials and sensitive corporate data. By October, US-CERT warned about a phishing campaign linked with Dyre banking malware. By December, Dyre shifted tactics again to use I2P anonymization network for communication. At the end of January, a Dyre variant was hijacking Microsoft Outlook, targeting a larger number of banks and no longer using Cutwail spambot to distribute Dyre.

In fact, due to the recent redesign, structure overhaul and improved propagation and evasion techniques against security solutions, Trend Micro put Dyre on its watch list for notable malware for 2015.

Dyre typically arrives via an email attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. However, the newest version of Dyre downloads a worm that is “capable of composing email messages in Microsoft Outlook with the Upatre malware attached,” wrote Trend Micro threat response engineer Michael Marcos. “The malware uses the msmapi32.dll library (supplied by Microsoft Outlook)” to perform its mail-related routines and functions such as (e.g. Login, Send Mail, Attach Item).

Instead of tapping into the user’s contact list in the Microsoft Outlook email client, it connects to a command and control (C&C) server to select recipients, subject line and message content. The spam emails are sent with Upatre attached and the cycle repeats. “The worm deletes itself after executing this propagation routine.”

New Dyre variant uses Microsoft Outlook to spread Upatre Trend Micro

Marcos added:

The worm WORM_MAILSPAM.XDP connects to hard-coded command-and-control (C&C) server address in the binary file. It will then extract the necessary parameters from the C&C server in order to compose the spam/phishing email. WORM_MAILSPAM.XDP will then take over Microsoft Outlook of the affected to send out the emails. The worm deletes itself after executing this propagation routine.

Marcos noted that Dyre’s new evasion techniques include using the SSL protocol in all of its communications with the C&C server in order to hide data while it is being transmitted. If Dyre can’t connect to the C&C servers, it will either use URLs provided by the domain generation algorithm (DGA) function or by connecting to a hard-coded Invisible Internet Project (I2P) address; I2P is what Silk Road Reloaded and Cryptowall 3.0 use.

Dyre went from stealing information from a list of 206 websites, to expanding that list to 355 target sites. Most of the newly added targets are U.S. sites belonging to banks and bitcoin wallets. In January, Trend Micro found 68% of Drye infection in the U.S., followed by 10% in Canada and 4% in Chile.

Cyber crooks spam millions in a few minutes using Cutwail botnet to spread Dyre

Elsewhere, Symantec’s Nick Johnston reported that cybercriminals were using the Cutwail botnet in “short-duration, high-volume spam attacks targeting millions of users at a time” with a goal of trying to spread Dyre financial malware. The spam emails often appear to come from “Administrator” or a spoofed company or institution. The subject line is typical phishing bait such as claiming “Your tax return was incorrectly filled out.”

For the tl;dr folks, Symantec summed it up with the following graphic:

Cutwail botnet sends deluge of spam to spread Dyre Symantec

University of Florida targeted in Upatre, Dyre attack

The malware attacked hundreds of computers at the University of Florida, being distributed as a Windows ScreenSaver executable inside a ZIP file that was attached to email. Faculty or student victims who opened the ZIP and ran the ScreenSaver were infected with “a multi-stage malware suite not recognized by the majority of installed antivirus tools,” said UF Information Security expert Derris Marlin.

University of Florida Douglas Green

The emails appeared to be sent out from UF users with a subject line of “You have a new fa.” But “when people opened them, the malware cloned their online ID and spawned multiple emails to other account holders.” Although Upatre, which was used in stage one of the attack, had been tweaked to have a different signature, Marlin said Microsoft Security Essentials and the Mac version of Avast antivirus recognized and prevented the infection.

Dyre was described as stage two of the attack, designed to steal banking login credentials when users on infected PCs visited online financial institutions. Marlin said stage three “appeared to be a mass-mailer used to either blast out SPAM email from the infected computer or use email transport as a method or replication or both.”

Although the university sent out warnings to users and introduced network blocks within an hour of the attack being reported, Marlin told the Gainesville Sun that “hundreds of faculty and staff computers already had been infected.” He added, “Attempting to clean a host using only an Upatre cleaning tool will not guarantee that the computer will be cleaned.” Instead, users were advised to “reformat, reboot and restore from the last good backup.”

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.