Updated Dyre, Dropped by Office Macros

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email:

Figure 1 -- Phishing email

Figure 1 — Phishing email

Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give a few more instructions to the user, saying that the data is “encoded” and macros need to be enabled to read the text.

The Evolution of Upatre and Dyre

Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog.  Dyre’s latest iteration shows  yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.

Top 10 Phishing Attacks of 2014

With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.

Two Attacks… Two Dyres… All Infrastructure

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)

Figure 1 phishing fax

Figure 1 — First wave of Dyre

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.