Search the Community

Core checker a defensive wrecker Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused technique is enough to beat at least eight of the most widely used free and commercial kit, Raff says. "If the machine has only one core it immediately terminates," Raff says in a post. "As many sandboxes are configured with only one processor with one core as a way to save resources, the check performed by Dyre is a good and effective way to avoid being analysed. "On the other hand, most of the PCs in use today have more than one core." Dyre is linked to a variant Dyre Wolf that IBM said last month plundered some $1 million from bank accounts. Raff informed the affected sandbox developers of the evasion technique. Dyre's Upatre downloader also sports new evasion techniques including a different user agent and grammatical fixes previously used to identify the malware. Raff says the technique proves sandboxing should not be used in isolation to stamp out malware. It is the latest development in a long history of cat-and-mouse warfare between malware writers and white hat defenders. Criminals need to contend with infiltrating victim machines while avoid anti-virus and white hats who look for indicators that are hallmarks of a type of malware. Defenders meanwhile face malware that uses increasingly complex evasion techniques that are specifically honed to beat sandboxes, virtual machines and other tools. Source

IBM has unearthed evidence of an international cybercrime operation that has plundered more than $1 million from the corporate accounts of U.S. businesses. IBM has dubbed the operation 'The Dyre Wolf' after the Dyre malware at the center of the scheme. In October, US-CERT warned the malware was being used in spear-phishing campaigns to steal money from victims. In the campaign uncovered by IBM, attackers often used phony invoices laced with malware to snare their victims. While the file inside the attached zip file has an embedded PDF icon, it is actually an EXE or SCR file. Once opened, the victim is served the Upatre malware, which in turn downloads Dyre. "Once Dyre is loaded, Upatre removes itself as everything going forward is the result of the extensive functionality of Dyre itself," IBM noted in its report. "The password-stealing function of Dyre is the focus of this campaign, and ultimately what's used to directly transfer the money from the victim’s account. Dyre’s set up, much like Upatre’s, requires a number of steps to remain stealthy which helps it to spread itself to additional victims." Dyre also hooks into the victim's browsers (Internet Explorer, Chrome and Firefox) in order to steal credentials the user enters when they visit any of the targeted bank sites. In some cases, possibly due to the use of two-factor authentication, an extra dose of social engineering is used. "Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site," blogged John Kuhn, senior threat researcher at IBM. "The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in." According to IBM, when the victims call the number, they are greeted by a person with an American accent who states he works with the affected bank. After a brief conversation, the individual prompts the person to give their username and password and appears to verify it several times. The person may also ask for a token code, and ask to speak with a co-worker with similar access to the account and get information from them as well. "One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as," Kuhn blogged. This all results in successfully duping their victims into providing their company’s banking credentials, he added. After stealing the credentials, the attacker logs into the account and transfers large sums of money to various offshore accounts, IBM notes in its report. There have been reports of amounts ranging from $500,000 to $1 million USD being stolen via multiple, smaller transactions. As if that were not enough, the victim may also be hit with a distributed denial-of-service attack to cover the attacker's tracks. "The DDoS itself appears to be volumetric in nature," according to IBM's report. "Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream. While they may have the potential to attack any external point in a business's network, the incidents we are tracking appear to focus on the company's website." Back in October, IBM's Trusteer team tracked a spike in the infection rate of Dyre, which is now believed by the firm to be in direct relationship with the development advancements within the Dyre project. In its current form, the malware appears to be owned and operated by a closed cyber-gang based in Eastern Europe, though the malware code itself could be operated by several connected teams attacking different geographies, IBM reported. "The sophistication and the level of deception that Dyre is now using is unprecedented when it comes to banking trojans," Kuhn told SecurityWeek. "The social engineering to defeat two-factor authentication shows the level of dedication and persistence to obtain their goal. Covering their tracks by initiating the denial-of-service attacks demonstrates how far they will go to ensure that the illicit transfer of money is hidden for as long as possible. The Dyre Wolf campaign is well funded, sophisticated and methodical in the theft off large sums of money." *This story was updated with additional information about the attack. Sursa: IBM: Cyber-gang Uses Dyre Malware to Loot Corporate Bank Accounts | SecurityWeek.Com