The malware, revealed by researchers at PhishMe on 13 June and Danish security research firm CSIS on 16 June, uses what CSIS describes as a “totally new” browser hooking method to attack customers of NatWest, RBS, Ulster Bank, Citibank and Bank of America. CSIS says: “The primary target appears to be the UK.”
The researchers says Dyreza/Dyre uses browser hooking – aimed at Internet Explorer, Chrome and Firefox users - to intercept the victim's banking data before it is encoded and then redirects them to the attackers' website, while fooling them into thinking they are still online to their bank and working with encoded data.
PhishMe senior researcher Ronnie Tokazowski told SCMagazineUK.com via email: “With the way this malware works, the attackers are not taking advantage of a flaw in the bank, but hooking into the browser to bypass the SSL mechanism used to protect a user's data. With this bypass, the attackers could easily shift and target another bank, or even any credential that is meant to be encrypted.”
“Right now, the malware is being used to steal credentials from banking sites, but could easily be modified to steal credentials from any site passing credentials through HTTPS.”
He added: “This is a new strain of malware unseen in the industry until now.”
Jan Kaastrup, CTO of CSIS, said the malware's ability to evade online banking checks is “totally new”.
He told SC UK: “There are some elements from Zeus in this one, but it uses a TLS hooking function which basically means they can decrypt the data in real time but without the users getting any certificate warnings.
“A lot of the banks have server-side detection scripts where they are then able to detect if the browser is injected in some way. But because they have the ability to inject after the user has submitted the button, they are able to circumvent those kind of mitigations. It's totally new, we haven't seen that before in any Trojans.”
Neither firm could confirm the current number of infections or the location of the cyber criminals behind it. CSIS detected a number of ‘money mule' accounts in Latvia, though these could be innocent systems hijacked by the attackers to siphon away the stolen funds.
In his blog, CSIS's Peter Kruse says the malware is delivered through spam emails with an attached zip file which when opened, drops the malware onto the machine. He warned: “Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a ‘Flash Player update'.”
The malware also conceals itself by being hosted on legitimate domains, including LogMeIn's ‘Cubby' file sharing service, said PhishMe. It previously used Dropbox – and PhishMe identified the new malware through its recent investigation of phishing-based ransomware attacks on Dropbox, reported last week by SC US.
Tokazowski told SC UK: “One of the things that stood out to me about this sample is the ease with which it transmits data back to the attackers, as well as the techniques it uses to bypass the SSL mechanism in browsers. In testing, the data remained encrypted even after submitting the information, and gave zero signs to the user that their computer was infected. Scary stuff.”
In terms of how to protect against Dyreza/Dyre, Tokazowski provides a list of advice points in his blog post. Meanwhile Paco Hope, principal consultant with security firm Cigital, said, “there are lessons for businesses and lessons for individuals,” from this new malware.
He told SC UK via email: “A business running an online portal must assume that some fraction of its users are affected by such malware. Businesses should ask themselves what would happen if that fraction was huge, even a majority? What other security controls do they have, and could those controls handle that strain?
“The lesson for individuals isn't changed by this discovery. All the recommendations - strong passwords, different passwords for every site, multi-factor authentication when possible - are rendered irrelevant when this kind of malware runs on a person's computer.”