Threat Intelligence Garden

Dyre

2 min read

Dyre

Description

(SecureWorks) In early June 2014, the Dell SecureWorks Counter Threat Unit (CTU) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry.

Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim’s computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor (‘web fakes’) and a dynamic web inject system that allows the threat actors to manipulate a financial institution’s website content. Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim’s system, stealing information and manipulating website content before it is rendered by the browser.

Early Dyre versions were relatively primitive, sending command and control (C2) communications and stolen data via unencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encryption algorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tampering.

Names

Name
Dyre
Dyreza
Dyzap
Dyranges

Category

Malware

Type

  • Banking trojan
  • Info stealer
  • Backdoor

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

1b27f8b4-dddf-4d58-b033-3772234bdd47

Last Card Change

2020-05-13

Graph View

Backlinks