Dyre presents server-side web injects
Dyre is a relatively new banking Trojan, first seen in the beginning of 2014. It soon emerged as one of the most sophisticated banking and commercial malware in the wild.
One of the main capabilities Dyre has presented, which differentiated it from the other well-known banking Trojans, was the “fake bank page” functionality. Once the victim tries to reach the real bank, Dyre intercepts the request and fetches its own fake page from one of its C&C servers.
However, while researching the Trojans’ internals we noticed another stage in the fraud techniques evolution.
“Traditional” fraud malware performs malicious JavaScript injection on the client machine while taking it from a configuration previously downloaded from the C&C server. However, Dyre maintains the injections on its C&C servers. This gives Dyre the flexibility to adjust the injected code on demand and minimize exposure of the existing web-injects.
During our research we noticed two types of injections which lead to two different scenarios. In the first scenario, the web-injects (malicious JavaScript) stole just the login credentials, while in the second scenario it would also contain an embedded HTML page which targets credit card information as well.
Other than just targeting financial online applications, using the “Grabber” module, Dyre enables its operators to steal virtually any user-supplied sensitive information online in large amounts. This information includes credentials for email applications, social platforms, hosting infrastructure, and corporate SSL-VPNs. While this information may be resold in the “underground”, the bigger risk is that malware operators might hijack email and social network accounts to perform surveillance, or blackmail individuals or organizations. They could also hijack hosting infrastructure to further deploy other malicious code, or break into organizations using stolen VPN credentials.
Many have written about this new threat. However, few have succeeded in covering the entire fraud flow and most of its capabilities.
For more details on the Trojan’s internals, read the report:
https://devcentral.f5.com/s/d/dyre-malware-internals?download=true