Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware
The Dell Sonicwall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.E and Dyre.F actively spreading in the wild. This is the new Variant of Popular Dyre which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network which uses its own self-signed SSL certificate for C&C communications.
Dyre typically arrives via a spam attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. The spam emails are sent with Upatre attached and the cycle repeats.
Md5: 9651d4ffb09a507bb17502228a8dc674 , 18cf4a3a89c07aa1fb7a8848e92259ad
The Malware uses the following icon:
The Malware adds the following files to the system:
%Userprofile%Local SettingsTempforeveview.exe [Executable file]
%systemroot%wKehylcgruOagGy.exe [Executable file]
%Userprofile%Local SettingsTempQjGjK48.exe [Executable file]
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
The Malware adds the following keys to modify security services on target machine:
The file wKehylcgruOagGy.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.
Command and Control (C&C) Traffic
Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. Some requests (seems to be normal pdf file) retrieves an encrypted Dyre binary and it is decrypted by its own algorithm.
The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
GAV: Dyre.E ( Trojan )
GAV: Dyre.F ( Trojan )