HackDig : Dig high-quality web security articles for hacker

US-CERT Alerts Of Ongoing Phishing Campaign Delivering Dyre Banking Trojan

2014-10-29 01:25

An alert from US-CERT (Computer Emergency Readiness Team) on Monday, warns of a malicious email campaign spreading the Dyre banking Trojan, also known as Dyreza.

The wave of messages started since the middle of the month, US-CERT claims, and the actors behind them do not discriminate as far as recipients are concerned.

Old Adobe Reader vulnerabilities used in new attacks

It appears that the campaign has several variations with regards to the sender address, theme of the email and the exploits used. However, the ultimate goal is to lure the recipient to open a malicious attached file, which, according to CERT, purports to be an invoice in PDF format.

The document (Invoice621785.pdf) is weaponized and carries exploits for old vulnerabilities in Adobe Reader. As such, the cybercriminals target users with old unpatched versions of the document reader.

One of the vulnerabilities leveraged is CVE-2013-2729, which allows execution of arbitrary code in Adobe Reader and Acrobat versions earlier than 9.5.5, 10.1.7 and 11.0.03.

Dyre banking Trojan is not a new malware family as it has been spotted for the first time in June, this year. Since then, the malicious tool was identified in multiple cyber incidents, one of the most prominent being against customers of Salesforce in September.

Users are advised to exercise caution when receiving unsolicited emails and pay particular attention to the spelling in the body and the subject of the message as this is an indicator of fraud. Also, presence of Google Update Service could be a sign of infection.

Cybercriminals have been testing user vigilance all summer

The Trojan is designed to steal log-in information, banking details in particular and send it to its operator. However, the piece was adapted for other types of credentials and in a recent incident it has been observed to include bitcoin websites on the list of targets in the configuration file.

Email campaigns having the delivery of Dyre as the ultimate goal have been carried out all summer, as this seems to be the preferred method of the cybercriminals behind it.

It has been seen in email phishing purporting to come from JP Morgan financial institution, as well as in messages claiming to be a notification of a new voice message being available.

The malware has been improved of the months following its release in the wild up to the point that it used its own SSL certificate to secure communication with the command and control server and hide malicious traffic.

Source: 2cphGUtcmbp92Zu9ULm9ULzRnclxWQtQlUFNULTV1LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:1834 | Comments:0 | Tags:Advisories

“US-CERT Alerts Of Ongoing Phishing Campaign Delivering Dyre Banking Trojan”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud