Traffic generated by the malware is more difficult to detect

Sep 28, 2014 17:57 GMT  ·  By

Malware authors have improved the functionality of Dyre banking Trojan, which now benefits from its own SSL certificate to communicate with its command and control (C&C) servers.

In a recently analyzed sample, security researchers have discovered that the malware relies on a digital certificate issued for an entity called Internet Widgits Pty Ltd.

Proofpoint security experts determined that the communication with the remote servers occured on ports 443 and 4443.

By using their own certificate for the communication, the actors behind the new variant of Dyre make it more difficult for security solutions to identify the traffic as illegitimate.

New Dyre version steals browser data and enumerates installed programs

In the latest variant, they found that a freshly introduced feature, called “browsersnapshot,” is responsible for collecting browser data like cookies, client-side certificates and private keys from the Windows Certificate Store used by Internet Explorer and the Firefox certificate database.

Also new is the enumeration of the programs installed on the compromised computer, as well as the running services. This is generally done by cybercriminals as a research for creating more efficient attacks on the victims, or to create a database with the attack vectors that would work on specific types of users.

As far as the targets are concerned, the Trojan is instructed to download them from the C&C server. This makes the malware a much more flexible tool in the hands of cybercriminals as they can add or remove targets according to their needs.

List of targets can be updated at any time

Proofpoint discovered that Salesforce.com was among the targets, which could suggest that the same variant was used against the customers of cloud-based CRM provider in the attack that took place earlier this month.

“This sample of Dyreza highlights the rapid adaptation of new malware to updated defenses and the effort by crimeware groups to pursue new targets. Expect to see Dyreza and other threats continue to evolve – and to evolve more rapidly – as time goes by,” Proofpoint warns.

The Trojan has been first reported by PhishMe back in June and after analyzing it, they determined that it could bypass the SSL mechanism in the browser through the technique known as man-in-the-middle (MitM), which allows interception of encrypted data without giving any sign that the secure connection is compromised.

The malware has been created specifically for stealing banking information from users and initially it targeted connections to Bank of America, Citigroup, the Royal Bank of Scotland, Ulsterbank and Natwest financial institutions.