News & Commentary

2/3/2015
03:55 PM
Alexandra Gheorghe
Alexandra Gheorghe
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Banking Trojan Lurks Inside Innocent Fax Messages, Bitdefender Warns

Threat uses server-side polymorphism technique to bypass antivirus software.

A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, Bitdefender malware analysts warn.

The malicious spam messages carry links to HTML files. The files link to URLs directing to highly obfuscated Javascript code that automatically downloads a zip archive from a remote location.

Interestingly enough, each downloaded archive is named differently to bypass antivirus software. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new.

To take the con one step further, the same Javascript code redirects the user to the localized web page of a fax service provider as soon as the archive is downloaded.

The archive content looks like regular PDF files. They are in fact executable files with a PDF icon. They act as downloaders that fetch and execute the Dyreza banker Trojan, also known as Dyre.

Dyre Malware Analysis

First seen in 2014, Dyre is similar to the infamous Zeus. It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers inject malicious Javascript code, which allows them to steal credentials and further manipulate accounts – all in a completely covert way.

Despite facing a threat known to resist reverse-engineering techniques, Bitdefender malware researchers have managed to analyze it and uncover the list of targeted websites. Customers of reputable financial and banking institutions from the US, UK, Ireland, Germany, Australia, Romania, and Italy have been targeted.

However, despite the relative sophistication of the attack, it still relies on the user’s curiosity to look into the archive and manually run its contents. A bit of caution can reduce the chances of infection. Here’s what several malicious links look like:

According to Bitdefender Labs, 30,000 malicious emails were sent in one day from spam servers in the US, Russia, Turkey, France, Canada, and the UK. Curiously, the campaign’s name – 2201us – seems to indicate the attack date (22nd January) and the targeted country (US), Bitdefender malware researchers found.

Bitdefender detects and blocks all elements of the threat: the .js file, the downloader, and the executable. The Trojan is detected as Gen:[email protected] Bitdefender reminds users to avoid clicking links in emails from unknown email addresses and, of course, to keep their anti-malware solution up-to-date with the latest virus definitions.

This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian Miron and technical information provided by Bitdefender Virus Analysts Doina Cosovan, Octavian Minea, and Alexandru Maximciuc.

Alexandra fulfills the Security Specialist role for Bitdefender, performing writing duties such as security news for Bitdefender's security blog, as well as marketing and PR materials. She started writing about online security at the dawn of the decade - after 3-years in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8939
PUBLISHED: 2019-02-19
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
CVE-2019-8935
PUBLISHED: 2019-02-19
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.