So pretty much for the past month across the ranchlands, we have been doing non-stop battle with a nasty piece of work known as Drye/Dyreza/Upatre.
From all appearances it slipped in past the security perimeters via an outside email source and bundled with a simple social-engineering attack email body, the trap was laid.
Patient-zero clicked the attachment to view a “fax message” helpfully attached to the email and the game was on.
Gradually the various security and response teams were able to tighten the noose and finally gain the upper hand.
Our network deep-packet inspection tools were quickly refined and able to better hone-in and identify infected systems’ communications so they could be targeted for remediation.
The noose tightened as our email systems were able to be updated to filter out emails containing these payloads and prevent them from reaching employees.
Momentum mounted as our AV providers’ signature detection file sets caught up and became sharper and significantly more effective with on-system detection.
Fast responding network administrators were able to use the gathered incident intelligence and track down infected systems showing up in various reports and disable them from the networks.
Relentlessly persistent technical first-line teams were able to secure-wipe and reimage infected systems as they were detected and eventually return the users to production capability.
Passwords were changed and users of infected systems strongly encouraged to change any personal passwords as well if they had logged into any non-business secure websites – say online banking or bill-paying sites.
So here are some resources regarding this particular type of malware; it pays to know your enemy.
- New DYRE Variant Hijacks Microsoft Outlook, Expands Targeted Banks - TrendLabs Security Intelligence Blog
- A Closer Look At DYRE Malware, Part 1 - TrendLabs Security Intelligence Blog
- A Closer Look at DYRE Malware, Part 2 - TrendLabs Security Intelligence Blog
- CUTWAIL Spambot Leads to UPATRE-DYRE Infection - TrendLabs Security Intelligence Blog
- Dyre times for online banking customers - HP Enterprise Business Community
- Evolution of Upatre Trojan Downloader – Zscaler Research
- Analyzing Man-in-the-Browser (MITB) Attacks – 35687 - (direct to PDF link) – SANS Institute InfoSec Reading Room whitepaper
- Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL - PhishMe
- The Evolution of Upatre and Dyre - PhishMe
- Dyre Malware Archives - PhishMe
- Wire transfer spam spreads Upatre - Microsoft Malware Protection Center
- Banking Trojan Dyreza sends 30,000 malicious emails in one day – Help Net Security
- Threat Outbreak Alert RuleID7930: Email Messages Distributing Malicious Software on February 17, 2015 – Cisco Outbreak Alert Details