Since mid-2014, cybercriminals have used large distribution campaigns to infect millions of machines with the Dyre Trojan, a massively distributed malware. First identified in June 2014 as a malware that primarily steals banking credentials, Dyre has undergone many changes in a very short period. In September 2014, a variant of the Trojan was used to target business data by capturing employees’ credentials when they logged into SalesForce.com. Another variant now uses some noteworthy propagation and evasion techniques.

Machines compromised by Dyre are at risk of credential theft and other types of threats. Since Dyre can receive new operational commands from the command-and-control (C&C) server, it can be used to target different organizations or download and install additional malware. This combination of capabilities makes Dyre a very dangerous advanced persistent threat (APT) tool.

New Variant of Dyre Trojan Spreads Malware Using Victims’ MS Outlook Client

A new variant of the Dyre Trojan was recently discovered by researchers at Trend Micro. This Dyre variant hijacks Microsoft Outlook to spread the Upatre downloader and infect more users with malware. The attack starts with a spam or spear phishing email disguised as a fax or package delivery details that includes the Upatre downloader. Examples of the spear phishing emails as provided in the Trend Micro blog are shown below:

After the Upatre payload is delivered to the machine, it contacts a C&C server and delivers the Dyre payload. Dyre then contacts a C&C server and downloads a worm that was detected by Trend Micro and identified as WORM_MAILSPAM.XDP. The worm then uses the Microsoft Outlook email client installed on victims’ devices to send out spear phishing emails with Upatre attached. Then, the cycle repeats. Once the emails are sent, the worm deletes itself so no evidence is left on the machine.

An interesting point is that while the worm compromises the victim’s Microsoft Outlook email client, it doesn’t send spam emails to the victim’s contacts. Instead, it gets the email list from the C&C server to select recipients, subject line and message content.

Dyre Trojan Incorporates New Evasion Techniques

Dyre’s evasion techniques, which are designed to help the malware bypass enterprise security controls and remain stealthy on the victim’s machine, are being constantly developed. New evasion techniques added to Dyre include the use of Secure Socket Layers to protect C&C communications, for example. Additionally, a mechanism that enables the Dyre Trojan to find an alternate C&C was added to the Trojan just in case the hard-coded C&Cs aren’t available. This mechanism uses a domain generation algorithm to generate URLs on various top-level domains (cc, ws, to, in, hk, cn, tk and so), similar to the mechanism used by Downad/Conficker malware.

Massively Distributed APT Malware a Dangerous Emerging Threat

Previous blog posts have explained how the Dyre Trojan became a massively distributed APT malware. The following are the general characteristics of massively distributed APT malware:

  • Off-the-shelf malware, not custom-designed for a specific target;
  • Massively distributed by cybercriminals using spear phishing campaigns, watering hole attacks and other distribution techniques;
  • Can be used in APT-style attacks if given certain operational instructions.

The use of massively distributed malware lets cybercriminals take advantage of millions of machines already infected with the Dyre Trojan, extending their reach by having the Trojan further distribute itself. Since the Trojan acts on instructions provided in the configuration file, new configurations can be used to point it at new targets.

According to IBM Security Trusteer research, an average of 1 in 500 machines in the world is infected with massively distributed APT malware. According to Trusteer’s services team, it discovers massively distributed APT malware such as Dyre and Citadel in virtually every customer environment it works with. It is no longer a question of whether machines will become infected; there is a high likelihood systems in your organization are already infected.

Protecting Against Dyre and Other Types of Massively Distributed APT Malware

IBM Trusteer’s endpoint protection solutions, IBM Security Trusteer Apex Advanced Malware Protection™ and IBM Security Trusteer Rapport, can provide extensive protection against massively distributed APT malware families, including Dyre, Citadel, Zeus, SpyEye and Shylock. These IBM Trusteer solutions can detect, mitigate and remediate such malware infections. Moreover, the Trusteer Apex and Trusteer Rapport solutions can stop future infections and prevent endpoints from being compromised by applying integrated, multilayered defenses that break the threat life cycle. IBM Trusteer threat research is based on dynamic intelligence feeds from more than 100 million protected endpoints and translates into security updates that are automatically sent to protected endpoints.

Read the white paper: Proactive response to today’s advanced persistent threats

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read