TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware [ https://www.us-cert.gov/ncas/alerts/TA14-300A ] 
10/27/2014 12:10 PM EDT 
Original release date: October 27, 2014

Systems Affected

Microsoft Windows

Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza 
banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, 
exploits, themes, and payload(s).[1] [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729 ][2] [ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 ] Although this campaign uses various tactics, the actor’s 
intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to 
capture user login information and send the captured data to malicious actors.[3] [ 
http://www.pcworld.com/article/2364360/new-powerful-banking-malware-called-dyreza-emerges.html ] Phishing emails used 
in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched 
versions of Adobe Reader.[4] [ http://www.adobe.com/support/security/bulletins/apsb13-15.html ][5] [ 
http://www.adobe.com/support/security/bulletins/apsb10-07.html ] After successful exploitation, a user's system will 
download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the 
release of this alert.[6] [ 
https://www.virustotal.com/en/file/6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135/analysis/ ]

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

*_Phishing Email Characteristics:_*


  * Subject: "Unpaid invoic" (*Spelling errors in the subject line are a characteristic of this campaign*) 
  * Attachment: Invoice621785.pdf 

*_System Level Indicators (upon successful exploitation):_*


  * Copies itself under C:\Windows\[RandomName].exe 
  * Created a Service named "Google Update Service" by setting the following registry keys: 
  * HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe" 
  * HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service" 

Impact

A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking 
services.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks 
from phishing campaigns:


  * Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing 
Attacks [ https://www.us-cert.gov/ncas/tips/st04-014 ] [7] [ https://www.us-cert.gov/ncas/tips/st04-014 ] for more 
information on social engineering attacks. 
  * Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing 
and Avoiding Email Scams [ https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf ].[8] [ 
https://www.uscert.gov/sites/default/files/publications/emailscams_0905.pdf ] 
  * Follow safe practices when browsing the web. See Good Security Habits [ https://www.us-cert.gov/ncas/tips/ST04-003 
] [9] [ https://www.us-cert.gov/ncas/tips/ST04-003 ]and Safeguarding Your Data [ 
https://www.us-cert.gov/ncas/tips/ST06-008 ] [10]  [ https://www.us-cert.gov/ncas/tips/ST06-008 ]for additional 
details. 
  * Maintain up-to-date anti-virus software. 
  * Keep your operating system and software up-to-date with the latest patches. 

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of 
phishing scams.

You can report phishing to us by sending email to phishing-report () us-cert gov.

References

  * [1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014 [ 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729 ] 
  * [2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014 [ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 ] 
  * [3] New Banking Malware Dyreza, accessed October 16, 2014 [ 
http://www.pcworld.com/article/2364360/new-powerful-banking-malware-called- dyreza-emerges.html ] 
  * [4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014 [ 
http://www.adobe.com/support/security/bulletins/apsb13-15.html ] 
  * [5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014 [ 
http://www.adobe.com/support/security/bulletins/apsb10-07.html ] 
  * [6] VirusTotal Analysis, accessed October 16, 2014 [ 
https://www.virustotal.com/en/file/6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135/analysis/ ] 
  * [7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks [ 
https://www.us-cert.gov/ncas/tips/st04-014 ] 
  * [8]US-CERT Recognizing and Avoiding Email Scams [ 
https://www.uscert.gov/sites/default/files/publications/emailscams_0905.pdf ] 
  * [9] US-CERT Security Tip (ST04-003) Good Security Habits [ https://www.us-cert.gov/ncas/tips/ST04-003 ] 
  * [10] US-CERT Security Tip (ST06-008) Safeguarding Your Data [ https://www.us-cert.gov/ncas/tips/ST06-008 ] 

Revision History

  * October 27, 2014: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]