Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware

February 5, 2015

The Dell Sonicwall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.E and Dyre.F actively spreading in the wild. This is the new Variant of Popular Dyre which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network which uses its own self-signed SSL certificate for C&C communications.

Dyre typically arrives via a spam attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. The spam emails are sent with Upatre attached and the cycle repeats.

Infection Cycle:

Md5: 9651d4ffb09a507bb17502228a8dc674 , 18cf4a3a89c07aa1fb7a8848e92259ad

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempforeveview.exe [Executable file]

  • %systemroot%wKehylcgruOagGy.exe [Executable file]

  • %Userprofile%Local SettingsTempQjGjK48.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate

    • C: HKLMSystemCurrentControlSetServicesgoogleupdateImagePath

    • %systemroot%wKehylcgruOagGy.exe

The Malware adds the following keys to modify security services on target machine:

The file wKehylcgruOagGy.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. Some requests (seems to be normal pdf file) retrieves an encrypted Dyre binary and it is decrypted by its own algorithm.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dyre.E ( Trojan )

  • GAV: Dyre.F ( Trojan )