Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)
Upon clicking the link, the user is directed to a page and prompted to download a very small zip file that contains an executable.
Once opened, the user is presented with an executable inside of a zip file. If we take note of the modified date of the .exe inside of the .zip, we can see that this sample was uploaded to the attacker’s page a little over two hours before we received the wave of emails.
Once executed, the malware attempts to beacon out for the second stage download. The file it requests is a PDF; however by looking at the headers of the content, it’s easy to see it’s not a PDF. (PDFs usually start with PDF-).
Once downloaded, a very strange thing happened. Explorer.exe wanted to access the Internet, something that (should) rarely happen.
|At this point, I’m rather skeptical because explorer.exe normally doesn’t need to access the Internet. But lo and behold…the firewall is serious.|
After confirming that the code was potentially injected into explorer.exe (based off of connections out), we dumped the memory of the process. Doing this allowed us to see what was “around” the memory location for the 46 IP address.
In Figure 9, we can see two things. First, we’re presented with our familiar Dyre URL requests. (#1) This is especially important because in the first annotation, this shows that the malware is attempting to communicate via HTTPS out, confirmed by both packet capture and explorer.exe connection ports. By dumping memory, we’re able to see this in the clear. Think of this as a little sweet justice when Dyre does browser hooking to bypass SSL.Second, we can see possible IP address configurations based off of potential communication ports from memory. (#2) This is where it gets fun.
By grepping 10 lines before and after the IP address and using a colon as a second grep filter, we find even more goodies.
In #1 of Figure 11, we can see more IP addresses with the port of 443. Since there are also instances of 4443 too, we can use command line to see what other IP addresses are there. (Figure 12)
And by using a little more command line kung-fu, we can clean up this list of IP addresses, giving us an idea of how many C2 IP addresses Dyre is now using, currently 19 potential C2 nodes.
In Figure 11 #2, there is a different looking IP address with the tag of . By grepping for this, we can see that many banks will be targeted with this.
Since the bank URL configurations are shown in the tag, we can split and find out how many unique bank URLs are being targeted with this: 169 to be exact.And by looking at the litem tag, we can grep down to bank URLs that are being targeted. Here, it’s 281 unique URLs.
For fax variants of the email, we have had success with the following Yara rule:
rule PM_Dyre_Delivery : dyre cryptowall crimeware
$domain1 = “goo.gl” nocase
$domain2 = “cubby.com” nocase
$domain3 = “dropbox.com” nocase
$subject1 = “fax message” nocase
$subject2 = “new fax” nocase
$subject3 = “fax report” nocase
$constant = “Resolution: 400×400 DPI” nocase
(1 of ($domain*) and 1 of ($subject*)) or ($constant)
For catching zip files with executables inside of them, we have had much success with the following rule:
$hdr = “PK”
$e1 = “.exe” nocase
$e2 = “.scr” nocase
$hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize)))
And for catching voicemail variants, the following Yara signature can be used.
$s1 = “voice message” nocase
$s2 = “voice redirected message” nocase
$s3 = “sent: ” nocase
2 of them
For indicators, I have included 22 different Dyre C2 nodes, banks targeted, and a set of yara rules. You can download the Yara rules here:
Or download the .zip file here:dyre_indicators