Home | Press | Contact da en
Heimdal
Heimdal Security protects against
banker trojan malware.
Press Contact

Peter Kruse
Partner & Security Specialist
pkr@csis.dk
PGP Key ID: 0x49006F37

News
2014-06-16 12:21:16 |

We have been analyzing a new piece of banking malware, which is targeting some major online banking services. Among many, we have verified the following to be on the target list:

Bank of America
Natwest
Citibank
RBS
Ulsterbank

The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware.

The malware is being delivered through spam campaigns. We have seen various subjects such as: "Your FED TAX payment ID [random number]" and "RE: Invoice #[random number]. The primary target appears to be the UK. We have seen RBS to be a specific target with the content:

"Please review attached documents regarding your account

To view/download your documents please click here

Tel: 01322 247616
Fax: 01322 202705
email: Leonel@rbs.com

This information is classified as Confidential unless otherwise stated."

Attached is a zip file (e.g. Document-[%random number%].zip, which when opened, will drop the malware to the machine. Next up, it connects to the C&C server with a GET request e.g. GET /cho1017/[%unique ID%] and with the browser agent string: "Wget/1.9".

The binary code is packed with a cryptor to avoid AV detection and to trouble analysis. It has compile leftovers that reveal some background data:

C:CPP_PROJECTS_GITDYREReleasedyrecontroller.pdb
C:CPP_PROJECTS_GITDYREReleasezapuskator2.pdb

We decided on the name "dyreza" due to above compile leftovers. Samples have been sent to AV vendors to ensure detection and removal.

Whenever this code is executed, it will beacon back to it's C&Cs. We managed to locate several of these and even obtained access to parts of the server which revealed a customized "money mule" panel with several accounts in Riga, Latvia.

Traffic interception
The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA.

Complete list of targets extracted from the unpacked code:

cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
businessaccess.citibank.citigroup.com/cbusol/signon.do
www.bankline.natwest.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.natwest.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fnatwest%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.natwest.com%3A443%2Fbankline%2Fnatwest%2Fdefault.jsp
www.bankline.rbs.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.rbs.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Frbs%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.rbs.com%3A443%2Fbankline%2Frbs%2Fdefault.jsp
www.bankline.ulsterbank.ie/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.ulsterbank.ie&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fubr%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.ulsterbank.ie%3A443%2Fbankline%2Fubr%2Fdefault.jsp
AUTOBACKCONN
cashproonline.bankofamerica.com/materials
businessaccess.citibank.citigroup.com/materials
c1shproonline.bankofamerica.com
cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/
cashproonline.bankofamerica.com/assets/
b1sinessaccess.citibank.citigroup.com
businessaccess.citibank.citigroup.com/assets/
businessaccess.citibank.citigroup.com/CitiBusinessOnlineFiles/
www.b1nkline.natwest.com
www.bankline.natwest.com/
www.b1nkline.rbs.com
www.bankline.rbs.com/
www.b1nkline.ulsterbank.ie
www.bankline.ulsterbank.ie/


Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a "Flash Player update".

Still it's unclear if this is provided as a "Crime as a Service" or if it's a full circle criminal outfit.

We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code.

CSIS would like to credit the following blog/analysis:
http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/

Samples:
MD5 hash:
c2d73485095efdbd7ab625e469affb11