• Author: Brett Stone-Gross and Pallav Khandhar, Dell SecureWorks Counter Threat Unit™ Threat Intelligence
  • Date: 17 December 2014

Summary

Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of banking malware would fill the void. In early June 2014, the Dell SecureWorks Counter Threat Unit™ (CTU™) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry.

Capabilities

Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ("web fakes") and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser.

Early Dyre versions were relatively primitive, sending command and control (C2) communications and stolen data via unencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encryption algorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tampering.

Malware distribution

Each Dyre binary has an ID value that allows the malware operators to identify the campaign associated with each compromise. These campaigns are often localized to target specific geographic regions. Since Dyre's introduction, the CTU research team has identified 21 unique Dyre campaigns (see Figure 1). As of this publication, Dyre has targeted more than 242 financial institutions.

Figure 1. Distribution of active Dyre campaigns observed by CTU researchers as of this publication. (Source: Dell SecureWorks)
Figure 1. Distribution of active Dyre campaigns observed by CTU researchers as of this publication. (Source: Dell SecureWorks)

Malware distribution vector

Dyre is downloaded and installed on compromised systems by the Upatre downloader trojan, which is distributed through spam emails sent by the Cutwail botnet and at least two other spam botnets. The emails contain Upatre as an embedded malware executable in a ZIP attachment (see Figure 2) or as a malicious URL. In both instances, user interaction is required to compromise the targeted system. Dyre campaigns use different lures, such as impersonating FedEx invoices, electronic faxes, and payroll or financial documents.

Figure 2. Spam email lure samples dropping Dyre via Upatre downloader as an attachment. (Source: Dell SecureWorks)
Figure 2. Spam email lure samples dropping Dyre via Upatre downloader as an attachment. (Source: Dell SecureWorks)

Architecture

The Dyre malware is packed and obfuscated in multiple layers, and it is divided into two modules: the dropper and the main DLL module. The DLL module is stored in two distinct resources named payload32 and payload64, which Dyre activates on 32-bit or 64-bit Windows platforms, respectively. The malware drops a slightly modified copy of itself, using a random filename like "tlBTyLNuJkruXja.exe," in the C:\Windows folder (see Figure 3). When Dyre launches this file, malicious code is injected into svchost.exe.

Figure 3. Default location for dropped Dyre files. (Source: Dell SecureWorks)
Figure 3. Default location for dropped Dyre files. (Source: Dell SecureWorks)

For persistence, Dyre registers as a system service under "Google Update Service" by adding an HKLM\SYSTEM\ControlSet001\Services\googleupdate registry key (see Figure 4).

Figure 4. Dyre's persistence mechanism. (Source: Dell SecureWorks)
Figure 4. Dyre's persistence mechanism. (Source: Dell SecureWorks)

The malware hides its base configuration file, RSA key, and other important data within the resource section of the Dyre DLL (see Figure 5).

Figure 5. Dyre resource section containing important data. (Source: Dell SecureWorks)
Figure 5. Dyre resource section containing important data. (Source: Dell SecureWorks)

Dyre beacons to the hard-coded IP addresses listed in the base configuration file. The first request registers a bot on the C2 server. The malware sends the compromised system's operating system information to the C2 server and continues beaconing requests.

Dyre's web inject engine uses a slightly different approach than other banking trojans. The injected process hooks code into Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer, intercepting victims' credentials when they log into a bank account or other financial service. For each web browser, Dyre hooks different functions within the loaded DLLs:

  • Firefox: PR_Read and PR_Write functions within nspr4.dll
  • Chrome: ssl_read and ssl_write functions within chrome.dll
  • Internet Explorer: functions within wininet.dll

When a victim on a compromised system visits one of the targeted banking websites and enters login credentials, Dyre intercepts the data and sends a POST request to the threat actor's drop server. The request includes cookies and browser information. The malware can also manipulate banking website content dynamically, which can be used to circumvent two-factor authentication schemes.

Command and control traffic

Dyre contacts Google to check network connectivity and then submits a Session Traversal Utilities for NAT (STUN) binding request (see Figure 6). STUN allows a system located behind a network address translator (NAT) to discover a public IP address.

Figure 6. Dyre's network connectivity check and STUN requests. (Source: Dell SecureWorks)
Figure 6. Dyre's network connectivity check and STUN requests. (Source: Dell SecureWorks)

The STUN servers listed in Table 1 are hard-coded in the Dyre binary.

stun1.voiceeclipse.net stun.callwithus.com stun.sipgate.net
stun.ekiga.net stun.ideasip.com stun.internetcalls.com
stun.noc.ams-ix.net stun.phonepower.com stun.voip.aebc.com
stun.voipbuster.com stun.voxgratia.org stun.ipshka.com
stun.faktortel.com.au stun.iptel.org stun.voipstunt.com
stunserver.org s1.taraba.net s2.taraba.net
stun.l.google.com:19302 stun1.l.google.com:19302 stun2.l.google.com:19302
stun3.l.google.com:19302 stun4.l.google.com:19302 stun.schlund.de
stun.rixtelecom.se stun.voiparound.com numb.viagenie.ca
stun.stunprotocol.org stun.2talk.co.nz  

Table 1. Hard-coded STUN servers.

To hide its backend infrastructure, Dyre deploys a set of proxy servers that act as C2 servers. As shown in Figure 7, these servers are primarily located in North America and Europe. The threat actors have also implemented additional methods to maintain control of the botnet.

Figure 7. Geographic distribution of Dyre C2 servers. (Source: Dell SecureWorks)
Figure 7. Geographic distribution of Dyre C2 servers. (Source: Dell SecureWorks)

Dyre uses SSL to communicate with its C2 server. The requests use a standard structure, substituting appropriate values for the <Campaign ID>, <Bot ID>, and <Architecture> variables:

    GET /<Campaign ID>/<Bot ID>/5/cert/EXT-IP/HTTP/1.1 (Register the Bot)
    GET /<Campaign ID>/<Bot ID>/0/Win_XP_32bit/1023/EXT-IP/HTTP/1.1 (Register OS of Bot)
    GET /<Campaign ID>/<Bot ID>/1/FcJgUwyCWvgLPymGiJGwUkwCVcBMmiD/EXT-IP/(Send live signal)
    GET /<Campaign ID>/<Bot ID>/5/httprdc/EXT-IP/HTTP/1.1 (Ask for web fakes configuration data with target list)
    GET /<Campaign ID>/<Bot ID>/5/respparser/EXT-IP/HTTP/1.1 (Request dynamic web inject configuration)
    GET /<Campaign ID>/<Bot ID>/5/twg<Architecture>/EXT-IP/HTTP/1.1 (Request grabber plugin)
    GET /<Campaign ID>/<Bot ID>/5/i2p<Architecture>/EXT-IP/HTTP/1.1 (Request I2P plugin)
    GET /<Campaign ID>/<Bot ID>/5/n_vnc<Architecture>/EXT-IP/HTTP/1.1 (Request VNC plugin)
    GET /<Campaign ID>/<Bot ID>/5/n_tv<Architecture>/EXT-IP/HTTP/1.1 (Request TV plugin)
    GET /<Campaign ID>/<Bot ID>/5/cfg_bc/EXT-IP/HTTP/1.1 (Request back connect configuration)
    GET /<Campaign ID>/<Bot ID>/14/NAT/Port%20restricted%20NAT/0/EXT-IP/(NAT status)

Figure 8 shows a Dyre request for the configuration file identifying the list of URLs to redirect to the malicious server hosting the web fake. The C2 server's reply is encrypted with a custom encryption algorithm, and the payload is digitally signed using a 1024-bit RSA key.

Figure 8. Dyre's configuration request to the C2 server. (Source: Dell SecureWorks)
Figure 8. Dyre's configuration request to the C2 server. (Source: Dell SecureWorks)

Dyre performs a man-in-the-browser attack to steal data sent to a legitimate bank website. The malware sends the stolen data to its exfiltration server in an HTTP POST request (see Figure 9).

Figure 9. Dyre HTTP POST request to exfiltration server. (Source: Dell SecureWorks)
Figure 9. Dyre HTTP POST request to exfiltration server. (Source: Dell SecureWorks)

Command and control resiliency 

Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P.

Domain generation algorithm

Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014:

  • y3aaa48a7056d7075c3760cdbd90a75b8f.cc
  • z376dfe4955a257a78944864dd0158d172.ws
  • a8377c5a7c390331b15c1df94fa745e38a.to
  • ba3be71036fc2c06d603a2b17d41ffe71a.in
  • c9cca04cec2588918820cf33ba4337cca8.hk
  • dec4f75e53d7202136164e2b26456dabdf.cn
  • e3d68349d47efa0d5a9a92b1239bc4d48c.tk
  • f85db5ce8675f53b61f00ca0e822a33312.so

CTU researchers sinkholed a Dyre DGA domain to identify sources of infection and to ascertain the number of compromised systems that resorted to the DGA for command and control. During a 24-hour interval, the sinkhole received requests from 8,815 unique IP addresses. The U.S. led the number of compromised systems with 59%, followed by Canada with 8%, Portugal with 7%, the UK with 5%, and Turkey with 3% (see Figure 10).

Figure 10. Infected Dyre bots reaching out to DGA domains. (Source: Dell SecureWorks)
Figure 10. Infected Dyre bots reaching out to DGA domains. (Source: Dell SecureWorks)

I2P

The Invisible Internet Project (I2P) is an overlay network similar to Tor that offers anonymity. It provides anonymous hosting known as eepSites, which are similar to Tor's hidden services. eepSites allow users to access websites in a way that masks the true location of the server, so that it cannot be easily identified and taken down. On December 3, 2014, CTU researchers observed a Dyre sample that included the following I2P eepSite domain: nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p.

Dyre's implementation of an I2P plugin has several tradeoffs. It makes the malware's backend server more difficult to trace, and the encapsulation of Dyre requests using I2P's encrypted protocol could complicate development of network-based signatures. However, I2P has not been widely adopted, so its presence may also be used to identify compromises.

Connection to Gozi Neverquest

CTU researchers have observed a relationship between the Dyre trojan and the Neverquest variant of Gozi. On several occasions, Gozi Neverquest pushed commands to download and execute a Dyre executable, and there have been other instances of Dyre issuing commands to download and execute a Gozi Neverquest executable. These examples suggest that one or more of the same threat actors are involved with both botnets, and they may leverage each trojan according to their specific needs.

Conclusion

Dyre has emerged from its early stages of development to become one of the most prominent banking trojans. Each iteration included refinements and new features to make it more powerful and robust. The version of Dyre being distributed as of this publication provides advanced capabilities with web fakes, dynamic web injects, a modular design, and multiple methods for maintaining command and control. The introduction of Dyre shortly after the takedown of Gameover Zeus shows the determination of threat actors targeting the financial vertical.

Threat indicators

The threat indicators in Table 2 can be used to detect activity related to the Dyre banking malware. The IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
0a77a39285d6bc816791320bb13408e5 MD5 hash Dyre trojan
c3980a6228b68f88a0718de7a0362116 MD5 hash Dyre trojan
b5b3af636f545da62f87c2773aa99016 MD5 hash Dyre trojan
ec525c578d14a15d8d913e83ec5c557b MD5 hash Dyre trojan
32d32802a97b9c24e1eafcea6af52440 MD5 hash Dyre trojan
2d8923ef39b1fa0a091965735f3490f3 MD5 hash Dyre trojan
1a52993e4546c3d6adad037af74ce2a8 MD5 hash Dyre trojan
156f730bbb6b6cada4ef89e22ddc68ab MD5 hash Dyre trojan
3597f17748f9bb7d008840a4b1391582 MD5 hash Dyre trojan
c6315a09e06e2ba775e5be0979d23755 MD5 hash Dyre trojan
5.79.86.19 IP address Dyre exfiltration/web inject server
212.56.214.154 IP address Dyre C2 server
202.153.35.133 IP address Dyre C2 server
80.248.224.75 IP address Dyre C2 server
109.228.17.152 IP address Dyre C2 server
166.78.103.85 IP address Dyre C2 server
109.228.17.158 IP address Dyre C2 server
109.228.17.155 IP address Dyre C2 server
176.114.0.58 IP address Dyre C2 server
85.25.134.53 IP address Dyre C2 server
217.172.181.164 IP address Dyre C2 server
217.172.184.75 IP address Dyre C2 server
213.239.209.196 IP address Dyre C2 server
212.56.214.130 IP address Dyre C2 server
37.59.2.42 IP address Dyre C2 server
93.190.139.178 IP address Dyre C2 server
85.25.138.12 IP address Dyre C2 server
85.25.145.179 IP address Dyre C2 server
217.172.179.9 IP address Dyre C2 server
203.183.172.196 IP address Dyre C2 server
94.23.61.172 IP address Dyre C2 server
94.23.196.90 IP address Dyre C2 server
217.23.8.68 IP address Dyre C2 server
193.203.50.17 IP address Dyre C2 server
193.203.50.69 IP address Dyre C2 server
nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p I2P domain Dyre C2 server
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 User-Agent Dyre User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 User-Agent Dyre User-Agent
cd2sd48za09 Mutex Mutex created by Dyre
5efw48e8re54 Mutex Mutex created by Dyre

Table 2. Threat indicators for the Dyre trojan.