HackDig : Dig high-quality web security articles for hacker

Dyre Targets More Websites

2015-03-07 01:40

The Dyre Trojan has expanded its attack vectors, aiming to harvest sensitive data from an expanding list of targeted websites.

Previously, Dyre had been known to seek out banking credentials as its primary targets, but ThreatTrack Security Labs researchers recently discovered multiple new types of domains, which have become part of Dyre’s standard target index.

While Dyre has added more file hosting and email domains to its attack list — pretty standard fodder for redistributing itself via malware — it has now appended a few new types of domains, including popular job hunting, file hosting, tax services, online retail and Internet Service Provider (ISP) websites.

Labs researchers used Wireshark to monitor Dyre’s TCP connections.

TCP snapshot of Dyre sending the contents of an HTTPS connection to Dyre’s server

The Labs team was then able to acquire configuration data from an active infection. Click here for the configuration file they pulled.

Based on experience in the field and initial investigations into these new targets, our Labs team has compiled the following list of potential reasons for attack:


Could be used to register new sites and modify existing ones. Likely used for hosting malware.

  • iweb.com
  • lunarpages.com
  • networksolutions.com
  • godaddy.com
  • hostgator.com
  • bluehost.com
  • enom.com


Gathering identity information, campaign templates or targets.

  • glassdoor.com
  • monster.com
  • indeed.com
  • simplyhired.com
  • careerbuilder.com


Acquiring hardware and user information.

  • newegg.com
  • sellerportal.newegg.com


Site records for targeting, templates and other attacks.

  • accurint.com
  • thomsonreuters.com
  • stamps.com


Can aid in email distribution of malware or other attacks.

  • mailchimp.com
  • mandrillapp.com


Enterprise account information used for further targeting or templates, data gathering, access corporate data and similar purposes.

  • wireless.att.com
  • smb.att.com
  • businessdirect.att.com
  • verizonenterprise.com
  • verizon.com


Personal income and account information, due to the nearing proximity of tax season.

  • turbotax.com
  • intuit.com
  • hrblock.com

Defend Yourself Against Dyre

End users should be reminded not to open attachments without regard for security. Dyre is often triggered via infected .zip files (containing Upatre) and .pdf attachment exploits.

For help educating users, reference Users Beware: 10 Security Tips to Share with Your Users.


The information presented in this post may contain names and images associated with real companies. There is no evidence that any of the sites mentioned have been compromised. Users with computers infected with Dyre may be at risk of having their personal information stolen when visiting these sites. 

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

The post Dyre Targets More Websites appeared first on ThreatTrack Security Labs Blog.

Source: /UYliK3GaB40/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“Dyre Targets More Websites”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud