The Evolution of Upatre and Dyre

Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog.  Dyre’s latest iteration shows  yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.


Figure 1 — Screenshot of email


Figure 2 — Screenshot of email


Figure 3 — Screenshot of email


Figure 4 — Screenshot of email

Once the victim clicks the link in the mail, the redirection scripts direct the user to download an update for the new Outlook settings. Clicking on the malicious download link generates an initial GET request that downloads JavaScript code to pull further scripts (Figure 5).


Figure 5 — Downloading scripts

These scripts generate more GET requests that download a base64 encoded .zip file (file-header:PK and content:outlook_setting_pdf.exe) as shown in Figure 6. The file download and redirections used in our analysis example do not always work with GET requests, but do respond to POST requests. This indicates that attackers want to allow only traffic from compromised users to come through as opposed to new users clicking the link. This applies on a case-by-case basis.


Figure 6 — Base64 encoded .zip file

In Figure 7, the user downloads the .zip file (that was generated using the steps presented thus far) and is quickly re-directed to in the background to make the download appear legitimate. (Figure 8)


Figure 7 — Download of a .zip file


Figure 8 — Redirect to legitimate website

Upon execution of the malware, the malware makes an interesting beacon.


Figure 9 — Mini Dyre beacon

While this is part of the January 12th campaign targeting the UK (1201uk1 string) we can see that the traffic is in the clear. Dyre traffic is normally sent via HTTPS over port 443 or over port 4443. Typically, we shouldn’t be able to see it in the clear (for stage 1). However, in Figure 10, we can see the typical Upatre download of an encoded binary file.


Figure 10 — Upatre downloading Dyre

By dumping strings from the malware’s memory, not only do we see the download of the file from Upatre, but we are seeing references to the IP address from the Dyre beacon from Figure 9. This is significant because this shows a blending of Dyre and Upatre code into a new downloader, which we’ve dubbed Mini-Dyre.


Figure 11 — Memory dump from Mini-Dyre

Once Dyre is downloaded, it’s saved as a randomly named executable to C:\Windows, executed, and injected into the memory of the top-most svchost.exe. By dumping the memory of the top-most svchost.exe and grepping for :443 or :4443, we can get a list of the C2 IP addresses that they are using. (Author note: doing memory dumps like this can cut off the first number of an IP address. Check them before blocking)


Figure 12 — Memory dump of C2 IP addresses in svchost.exe

After a few minutes of being connected, Dyre downloads another tool, a mass-mailer. The communications are encrypted via SSL; however, if we step through the code with IDA (Figures 13 through 16), we can capture the requests to see what’s being transmitted.


Figure 13 — Web requests out


Figure 14 — Unicode data sent back to the attacker’s IP


Figure 15 — Data being transmitted to the attacker’s IP

They even set the locale to Russian.


Figure 16 — Locale set by the malware

The malware communicates with IP 37.187.71[d]173, which can be seen as both hard coded in the malware and the packet capture. Based on the sample we analyzed, we are seeing this to be true. It does not have to be necessarily true in all cases or for various other malware samples.


Figure 17 — Hard coded C2 credentials

The IP address is also related to Feodo, which can be seen from the listing on Feodo tracker.


Figure 18 — Listing on Feodo tracker

Additional strings can show what the malware is capable of.


Figure 19 — Strings from the mailer

Indicators pertaining to the file in the incident, “outlook_setting_pdf.exe” was the executable being carried by the zip file. The following Yara rule can help trigger on any matches to this condition.

rule PM_outlook_setting_pdf_exe



$a1 = “PK”

$a2 = “outlook_setting_pdf.exe”


$a1 at 0 and $a2


With the rapid evolution of the phishing delivery mechanisms, malware downloaders and the malware itself, we will have a very interesting year. The rate at which Dyre and Upatre have changed is rather amazing.

In conclusion, it’s better to be aware of the context behind the email, such as the sender, sender’s email, attachment, link, etc., so that users can protect themselves from becoming victims of such evolving attack mechanisms.

Links to the samples can be found here:

Mini-Dyre / Upatre with Dyre:


Dyre emailer:

Fighting Back Against a Fake Tech Support Call

’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.

The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.

Figure 1 - Google Search

Figure 1 — Google search for phone number provided

Once connected, I was directed to a website, “www.pcefix.webs[d]com” where I could download the information to allow the computer technicians to “fix” my system. These downloads were riddled with viruses.

Figure 2 Website download

Figure 2 — Website to download tools


Next, the technician instructed me to download Ammyy, a free tool for remote assistance. Downloading this file allowed the attackers to establish a remote connection back to their systems.

Figure 3 Ammyy config

Figure 3 — Ammyy configuration used by the attackers


For a more secure system, they switched to team viewer, which allowed a technician to take a look at the system. Once there, they opened Event Viewer in an attempt to show the number of viruses I had on the system. The screenshot is rather comical; as it’s blatantly obvious this is running in VMWare.

Figure 4 Technician showing errors

Figure 4 — Technician showing me the viruses and errors on my system


“Alex” also told me that hackers were in my system. I asked, “You mean like the ones from North Korea that hacked Sony?” With a chuckle…he confirmed that North Korean hackers were attacking my system. He even pulled up my INF files (Figure 5) to show me all of the files that the hackers added. (Figure 6)

Figure 5 search for files

Figure 5 — Search to see which files the hackers added


Figure 6 hacker files

Figure 6 — Files from hacker


He even went to the extent of opening one of the files and asking if I recognized it. When I didn’t know what the file was, he said, “This was added by the hacker.” He instructed me to run the scanning file “Router Tracer.bat” which would scan the system. From more of his analysis, it turns out I had 130 critical system files, expired protection, active hacking from China, as well as seven different hacking attempts. Not to mention that the file “hax.exe” was executed from startup h4x, as well as 100 viruses being sent by “Hacker”. (Figure 7)


Figure 7 infected system

Figure 7 — “Infected” system


It turns out this was a simple batch script that did nothing except echo these things out to the terminal.

Figure 8 Batch Script

Figure 8 — Batch script to check if my system was infected


Once Alex “convinced” me that my computer was infected, he offered me a few different payment options. The basic option was $199 for a 2-year warranty to fix my computer, $299 bought another 2 years, and $399 bought lifetime service for fixing every system in my house. What a deal! I agreed to the lifetime support, and he quickly presented me with a screen to enter my information, including a Government-issued ID number.

Figure 9 beginning of payment transaction

Figure 9 — Beginning of payment transaction


He was so kind as to fill in the token key as well.


Figure 10 token key

Figure 10 — Token key for payment


Next, I filled in credentials for a credit card for them to take a payment.

Figure 11 filling in banking information

Figure 11 — Filling in banking information for payment


It turns out that “Dine-Media Interactive”, the payment center who was taking the payment, has a Facebook page, and they are a startup in Bangalore, India that does rails development.

Figure 12 Dine media

Figure 12 — Dine Media, payment center that would receive payment


It looks like the company is doing pretty well for themselves, given that they are taking $399 dollars at a clip.

Dine media office photo

Figure 13 — Dine Media Office photo


All in all, no money was lost, and they lost a $399 dollar sale to fix my computers for life. Even through my many attempts at messing with them, they still continued through many iterations of me loudly playing Youtube clips of trollolol, nyan nyan cat, and “Gangnam Style”. Alex even said “Gangnam Style? This is one of my favorite songs!” “You mean the hackers are playing that through my computer?” “Yes, the hackers are playing that through the computer speakers.”

MS Word and Macros… Now With Social Engineering Malware

On December 11, one of our employees reported a phishing  email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:

Figure 1 -- Phishing Email

Figure 1 — Screenshot of phishing email

[Read more…]

Top 10 Phishing Attacks of 2014

With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content. [Read more…]

Two Attacks… Two Dyres… All Infrastructure

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)

Figure 1 phishing fax

Figure 1 — First wave of Dyre

[Read more…]

.NET Keylogger: Watching Attackers Watch You

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.


Figure 1 — Screenshot of phishing email

[Read more…]

Bash Vulnerability CVE-2014-6271 – Worm-able and Possibly Worse Than Heartbleed

Post Updated 9/30/2014

Several months ago, the Internet was put to a halt when the Heartbleed vulnerability was disclosed. Webservers, devices, and essentially anything running SSL were affected; as a result, attackers were able to collect passwords, free of charge.

With Heartbleed, the exploit made a splash and many attackers started to use the vulnerability. One of the more high-profile attacks of Heartbleed was the CHS attack, where the attackers siphoned 4.5 million patient records by attacking a Juniper device, then hopping onto their VPN.

So how can something be bigger than Heartbleed? I’m glad you asked. [Read more…]