We have been analyzing a new piece of banking malware, which is targeting some major online banking services. Among many, we have verified the following to be on the target list:
Bank of America
The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware.
The malware is being delivered through spam campaigns. We have seen various subjects such as: "Your FED TAX payment ID [random number]" and "RE: Invoice #[random number]. The primary target appears to be the UK. We have seen RBS to be a specific target with the content:
"Please review attached documents regarding your account
To view/download your documents please click here
Tel: 01322 247616
Fax: 01322 202705
This information is classified as Confidential unless otherwise stated."
Attached is a zip file (e.g. Document-[%random number%].zip, which when opened, will drop the malware to the machine. Next up, it connects to the C&C server with a GET request e.g. GET /cho1017/[%unique ID%] and with the browser agent string: "Wget/1.9".
The binary code is packed with a cryptor to avoid AV detection and to trouble analysis. It has compile leftovers that reveal some background data:
We decided on the name "dyreza" due to above compile leftovers. Samples have been sent to AV vendors to ensure detection and removal.
Whenever this code is executed, it will beacon back to it's C&Cs. We managed to locate several of these and even obtained access to parts of the server which revealed a customized "money mule" panel with several accounts in Riga, Latvia.
The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA.
Complete list of targets extracted from the unpacked code:
Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a "Flash Player update".
Still it's unclear if this is provided as a "Crime as a Service" or if it's a full circle criminal outfit.
We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code.
CSIS would like to credit the following blog/analysis: