Slava Ukraini: Dyre Returns

It has been a few weeks since the original discovery of the Dyre malware, and the attackers have sent another wave of phishing. This time, the phishing campaign only went to one senior level individual within our enterprise.

Here’s a screenshot of the phish:

Figure 1 – Phishing Email

In the last few campaigns, the attackers made it difficult to access their Google Analytics page. However, the attackers slipped up this time, making it possible to uncover how many potential victims have fallen for the link. This gives us further insight into the geographical location they may be targeting as well.

Figure 2 – 109 Potential Victims

We can also see the country and browser that the individuals are using.

Figure-3

Figure 3 – Browser and Country Distribution

Once the zip file containing a screensaver file is downloaded and executed, several files are downloaded. The detection rate for the malware is very low, and starts out with the Upatre dropper with 12 out of 53 (at time of writing) AV vendors detecting the threat.

Another file, flagged as kegotip by the VirusTotal community, has an even lower detection ratio of 11 out of 54 AV vendors

Figure 4 – VirusTotal analysis of kegotip sample

And for our third piece of malware, Dyre joins the show! At the time of this writing, this is only picked up by 10 of 54 AV vendors.

Figure 5 – Dyre malware

Based off the network data in Figure 6, we can further confirm this is Dyre, as it matches the network traffic from our previous analysis.

Figure 6 – Dyre malware traffic

While googleupdaterr.exe is quick to exit, if you’re quicker, it is possible to obtain a memory dump via process explorer. (Author note: Volatility works too, but for brevity, I prefer process explorer approach). In the previous variant of Dyre, we saw the string “C:\CPP_PROJECTS_GIT\DYRE\x64\Release\iebattle.pdb” as the project path. Performing strings on the memory dump does not show this existing.

However, by grepping for “DYRE”, I believe the attackers have left us the message of “I’m DYRE”. By looking before and after this string, the following phrase of “Slava Ukraini!” is there as well, which translates to “Glory to the Ukraine!”

Figure 7 – Hidden message in Dyre malware

By looking at the capitalization of the phrases, we can come up with many possible theories, but won’t truly know unless the author leaves us more clues. “I’m DYRE!” may show that the attacker is referred to as Dyre or wants the malware referred to as that, or it could be slang, such as rouji (肉鸡), that is common among attackers.

“Glory to Ukraine!” seems to have a deeper meaning to the malware author. This phrase is common in the Ukraine, and has even been referred to as the unofficial motto. Jared Leto also shouted “Glory to Ukraine” during a concert in Kiev, supporting the independence movement.

How to find this in your enterprise

Here are a few tips for finding this malware and preventing further infections:

  • Look for zip files being downloaded that contain executables and screen savers.
  • Search for email artifacts from figure 1 to help identify this one and variants.
  • Kimberly at StopMalvertising has put together a very deep analysis of Dyre, as well as the new changes in the malware. (removal of compilation artifacts)

Leave a Reply