Dyre Trojan Expands to Career Website Targets

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The PDF file is the Upatre executable, the TXT file is the Upatre-encoded version of the binary, while the “cube icon” file is the Dyre Trojan.

Career Sites Now Targeted

The Dyre Trojan uses a special configuration file to prioritize the credentials that it desires to steal.  PhishMe Intelligence subscribers will be familiar with several previous Dyre reports on how these configuration files work.  The current version is the first time that we have seen “Career Sites” targeted by Dyre.  The criminals have posed as employers on the following sites:

SimplyHired, Indeed.com, Monster.com, GlassDoor, CareerBuilder.

The URL substrings that will trigger Dyre’s special actions are listed below:
ads.simplyhired.com/simplypost/sign-in/*
ads.simplyhired.com/v/favicon.ico[?]*

secure.indeed.com/account/login*
employers.indeed.com/jobs?ts=*
employers.indeed.com/candidates?ts=*
*.indeed.com/v/favicon.ico[?]*

hiring.monster.com/Login.aspx*
hiring.monster.com/Challenge.aspx*
hiring.monster.com/jpw/Services/Secure/JCMIIWebServices/Jobs.asmx/GetJobs*
hiring.monster.com/v/favicon.ico[?]*

www.glassdoor.com/partners/login_input.htm*
www.glassdoor.com/v/favicon.ico[?]*

www.careerbuilder.com/share/verifyidentity.aspx*
www.careerbuilder.com/share/setchallengequestions.aspx*
www.careerbuilder.com/share/login.aspx*
www.careerbuilder.com/share/favicon.ico[?]*
www.careerbuilder.com/AJAX/GetProductsByUserGroup.aspx*
www.careerbuilder.com/jobposter/mycb/loadaccountwidgetdata.aspx*
www.careerbuilder.com/jobposter/ajax/myjobs/loadmyjobs.aspx*

Non-Career Sites Also Added Today

We’re not sure why the following were also added.  Perhaps the NewEgg indicates a desire to do a little shopping, or perhaps something more sinister may be occurring.

secure.newegg.com/NewMyAccount/AccountLogin.aspx*
secure.newegg.com/Shopping/ShoppingLogin.aspx*
secure.newegg.com/*/CheckoutStep1.aspx*
secure.newegg.com/*/CheckoutStep2.aspx*
sellerportal.newegg.com/Pages/Account/LandingPage.aspx*
*.newegg.com/v/favicon.ico[?]*

The criminals also are targeting the administrators of mailing lists hosted by MailChimp, which could allow them to deliver malicious emails on behalf of a “trusted” source, helping the criminals to bypass spam filtering controls.

  • mailchimp.com
  • *.admin.mailchimp.com/campaigns*
  • *.admin.mailchimp.com/lists*
  • *.admin.mailchimp.com/account/domains*
  • *.admin.mailchimp.com/reports*
  • mailchimp.com/v/favicon.ico[?]*

GoDaddy accounts would allow creation of domains and also modification of existing domains for malicious purposes.

*.godaddy.com*
*.godaddy.com/v/favicon.ico[?]*

Lastly, Accurint refers to the LexisNexis Accurint database.  This is a very rich collection of Public Records with more than 37 billion entries that can be used for verifying identities.

  • accurint.com/app/bps/main
  • accurint.com/1/favicon.ico[?]*
  • accurint.com

 

 

Dridex – Password Bypass, Extracting Macros, and Rot13
Forbes.com, Adobe Flash Player, and Your Email

Leave a Reply