HackDig : Dig high-quality web security articles for hacker

“Tyranny of the Police” Email Delivers Upatre Trojan

2014-12-06 07:45

Dyreza banking malware believed to be downloaded

  Fake email lures users with bait about police abuse in Ferguson, Missouri
A malicious email is currently hitting the inboxes claiming to be delivered by the Deans & Lyons law firm and to inform recipients of new abuses committed by the police following the Ferguson incidents.
5 photosVIEW ALL 

A malicious email is currently hitting the inboxes claiming to be delivered by the Deans & Lyons law firm and to inform recipients of new abuses committed by the police following the Ferguson incidents.

The message contains a link that appears to lead to a page on CNN, although the domain name should be enough of a clue to stay clear.

According to Belgium-based MX Lab, a company providing solutions against email threats, accessing the URL downloads a ZIP archive containing a file with a double extension (BreakingNews_pdf_exe). It is a variant of the Upatre Trojan that is generally used to get different malware pieces onto the affected computer.

Threat has five Dutch PE language resources

In order to get the recipient to click on the link, the crooks claim that it is a report made by the law firm about the situation in Ferguson, Missouri. The multiple grammar mistakes in the body of the message should raise suspicions to the recipient.

An analysis of the malicious file on Friday showed that only three out of 54 antivirus engines on VirusTotal were able to identify the threat. However, as of this writing, the detection has increased and 19 products label the item as malicious.

The report on VirusTotal states that there are six PE resources available, five of them being Dutch and one being English.

A commenter on the scanner’s website says that the threat funnels in a version of Dyreza, also known as Dyre. It is a Trojan used for stealing banking information, which has been used against numerous financial institutions in European countries, Switzerland in particular.

It has also been observed to target customers of Salesforce cloud-based CRM provider, and to steal credentials for Bitcoin trading websites.

Malicious page is no longer active

MX Labs reports that, when the download completes, the URL redirects to a legitimate CNN page offering more details about the Ferguson incidents.

The domain hosting the malicious file has been suspended, and at the moment the risk of getting malware from that address no longer exists. However, cybercriminals may register a new domain for the campaign and keep on sending the deceitful emails.

The malware appears to be distributed under multiple names, including “ybwbh.exe” and “file-7765943_exe,” which suggests that it is distributed through multiple email campaigns.

Malicious email campaigns are particularly frequent and aggressive during the holiday season. Users are advised to refrain from accessing links in suspicious messages and to first verify the information.


Source: WZE1CbpFWbF1SZjlGbvBVLlhGdtY2TtknbuFmc5R1LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:2095 | Comments:0 | Tags:Advisories

““Tyranny of the Police” Email Delivers Upatre Trojan”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud