14 DAY TRIAL // Security researchers appear to have bumped into a new remote access Trojan that manages to view encrypted traffic in plain text by routing the connection through the attacker’s domains.
Naming it Dyre or Dyreza, security researchers point out that the Trojan relies on browser hooking to intercept traffic and direct it to a command and control center owned by the attackers.
By using this technique, the victim is unaware that information is siphoned out to the cybercriminals and the session continues to appear as run through HTTPS.
Security researcher Ronnie Tokazowski from PhishMe says that as soon as the threat reaches the victim’s computer, it initiates communication with several IP addresses and when the conversation is established, it makes a request for a path to “/publickey/”, whose purpose is at the moment shrouded in mistery; then uses the GET request to receive the details about the operating system and what may be a command from the server.
What Tokazowski found when capturing the traffic for a simple search in Bing were two POST requests instead of one and the query was visible to the attacker. Simply put, the session could be hijacked; with the cookie in their hands, bad actors could log in as the user.
With traffic being controlled by them, cybercriminals can intercept user input to secure addresses, such as those for online banking, and view all the details in plain text. Stealing user credentials for financial websites is the obvious purpose of the malware.
“By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” says Tokazowski.
According to Tokazowski, Dyre/Dyreza looks for queries to Bank of America, Citigroup, and the Royal Bank of Scotland. However, researchers at CSIS Security Group in Denmark discovered that Ulsterbank and Natwest are also among the targets.
Several of the command and control servers have been traced to Riga, Latvia, and accessing parts of the server showed that it had integrated a custom “money mule” panel.
CSIS notes that the malware is being delivered to the victims through spam campaigns but it can also reach its target via phishing, directing to pages that request Adobe Flash Player to be updated in order to reveal the promised content.
At the moment, multiple antivirus products are able to protect machines from being infected with the Dyre/Dyreza Trojan, despite the author’s efforts to avoid its detection and prevent analysis.