Dyre.L a malware tries to register itself as Google Update Service to avoid detection.

April 15, 2015

The Dell SonicWall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.L actively spreading in the wild. We recently released GAV: Dyre.E which is uses I2P (Invisible Internet Project) for C&C communications and also uses self-signed SSL certificate for C&C communications. The new version of Dyre tries to register itself as Google Update Service to avoid detection by Systems administrators.

Infection Cycle:

Md5: 3497d8bcdc25950d63b6add8f8e5f40a

The Malware uses the following icons:

The Malware adds the following files to the system:

  • C:WINDOWStSfxwnnGqbYvrba.exe [Random Service Name ]

  • %systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll [ Data Log ]

The Malware adds the following keys to the Windows registry [As a Service] to ensure persistence upon reboot:

The file tSfxwnnGqbYvrba.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Dyre tries to enumerate files on the target system, after Malware retrieve list for exe files it saves on % systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll file and start to encrypt it with its own format, here is an example:

Here is decrypted information grabbed by malware:

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. The Malware uses self- signed SSL certificate for C&C communications.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Dyre.L ( Trojan )