Dyreza Trojan Targeting IT Supply Chain Credentials

Share this…

The Dyreza Trojan long ago ceased its exclusive focus on stealing banking credentials, and has been blamed for its part in attacks against Salesforce.com customers, webhosts and registrars, online retailers and many more.

Researchers at Proofpoint today published new information that indicates the malware is now being used to phish credentials for the IT supply chain as well. As many as 20 organizations, including a handful of software companies supporting fulfillment and warehousing and another set of computer distributors, were listed in the malware’s configuration files.

Dyreza Trojan Targeting IT Supply Chain Credentials

“The disturbing aspect to this choice of targets is that it’s clearly a complete supply chain,” said Kevin Epstein, Proofpoint vice president of threat operations. “If you look at the potential of this supply chain, it’s a powerful set of accounts to gain access to. With it, you can divert shipments of physical goods, issue full sets of payments and invoices to artificial companies, do large-scale gift-card issues. This is a significant issue, and while some may not think it’s as glamorous as direct access to a bank account, the risk here is huge. This is a core element of many companies.”

Dyreza, also known as Dyre, injects itself into a victim’s browser and serves up modified versions of legitimate webpages and forms. The attacks are initiated via phishing emails and logs of browser data and information entered by the victim are sent back to the attackers. While generally a tool for cybercriminals, Dyreza is available in black markets and can be modified for targeted attacks.

“Historically, Dyreza’s success rate has been high,” Epstein said. “There are quick release cycles, frequent updates bug fixes, you name it. It’s a successful model.”

Proofpoint has published a list of indicators of compromise and the organizations targeted by the malware; in addition to fulfillment and warehousing targets, the malware also bears a list of inventory and warehouse management firms, ecommerce platforms, as well as Apple, Iron Mountain, Otterbox and Badger Graphics.

“The specific changes observed represent a clear and deliberate strategy on the part of attackers to target a new industry, at all points across the supply chain,” Proofpoint wrote in its report. “We suspect a financial motivation. Once an attacker has obtained login credentials for their targeted systems, the potential to harvest payment information, make fraudulent financial transfers, and even divert physical shipments is immense.”

In one example, organizations receive an email purporting to be from a legitimate bank with the subject line “You have received a secure e-mail.” The text of the message says it’s important the reader open the attachment while connected to the Internet. The attachment is a supposed is an Office document that is encrypted, and in order for the document to be read, the victim is told to click a button that reads “Enable Content,” which in fact enables macros in the document to execute.

Macro-based attacks have been on the rise in the past few months, with a number of malware families, the Dridex banking malware in particular, trying their hand at an old-school means of infecting computers. With macros disabled by default in Windows since Office 2007, users have to be enticed into enabling them. With this most recent rash of Dyreza infections, the Xbagging or Bartallex macros download the Upatre downloader, which then grabs Dyreza from an attacker-controlled server.

“The specific changes Proofpoint observed are in the ‘<rpcgroup>’ section of Dyreza’s configuration,” Proofpoint said. “This section contains directives to Dyreza to sniff POSTs within the users’ browser and send them to the Dyre C2.”

Dyreza is a money-maker for cybercriminals. Its keepers constantly invest in the malware, updating its capabilities and targets. Earlier this year, researchers at IBM said attackers were using a call-center operation to fleece victims of passwords and two-factor authentication PIN codes in order to get through fraud-detection systems. The result was some fraudulent banking transfers in the neighborhood of $1 million in losses.