Names | Dyre Dyreza Dyzap Dyranges | |
Category | Malware | |
Type | Banking trojan, Info stealer, Backdoor | |
Description | (SecureWorks) In early June 2014, the Dell SecureWorks Counter Threat Unit (CTU) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ('web fakes') and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser. Early Dyre versions were relatively primitive, sending command and control (C2) communications and stolen data via unencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encryption algorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tampering. | |
Information | <https://www.secureworks.com/research/dyre-banking-trojan> <https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf> <https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/> <https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates> <https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/> | |
MITRE ATT&CK | <https://attack.mitre.org/software/S0024/> | |
Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre> | |
AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:Dyre> |
Last change to this tool card: 13 May 2020
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
Wizard Spider, Gold Blackburn | 2014-Dec 2023 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |