Dyre spam attack
Patching systems and software should be a high priority for any organisation. Older vulnerabilities are often easy prey for attackers seeking a way inside an organisation’s defensive perimeter. If proof of the maxim “patch your systems regularly” is needed, then this week’s exploitation of an old vulnerability in Adobe Reader and Adobe Acrobat should provide it.
The vulnerability is specified under CVE-2013-2729; a patch has been available since May 2013. Dyre malware (designed specifically to target financial organisations) has started using this particular exploit. Dyre malware can steal login credentials by means of “browser hooking”, where the information entered by a user is extracted after the credentials are entered, but before the information is encrypted.
Amongst its other features, Dyre can modify network traffic. It does this in order to be able to execute “man in the middle” (MITM) attacks. Dyre can send a list of running programs and software that is installed on victim PCs, as well as sending on screenshots. The purpose of this behaviour is to enable attackers to compile a list of an organisations software, which can then be combed for vulnerabilities. Software that is unpatched (and contains old known vulnerabilities) can then be targeted by the criminals.
The method in which Dyre is spread has not changed. Spam emails are used to target individuals in an organisation. The spam emails contain an infected .pdf attachment; if the user opens the attachment, an executable is installed on the victim machine. The executable file (called TROJ_PIDIEF.YYJU) then downloads the Dyre malware.
Dyre malware has been detected targeting Bitcoin sites, according to a blog post on Trend Micro. Bitcoin is a virtual currency; recently it has started to take on a real world value. As it is still in its infancy, criminals are targeting bitcoin sites as a new way to scam money.
Dyre’s ability to be able to use browser hooking to steal login information and its capacity to send a list of installed software to cybercriminals make it a serious threat. It is spread via spam emails; this type of attack is popular with cyber criminals.
Whilst Anti-Virus software can filter out spam email, it does rely on trace signatures. Unfortunately, these trace signatures and the subsequent updates to the anti-virus database can come too late for some organisations. It only takes one user to accidentally open an email attachment. Once cyber criminals know which software an organisation is using, they can look for older unpatched version of software and craft attacks based on known vulnerabilities. We strongly recommend ensuring patching on systems and application software is kept up to date.