LinkBack URL
About LinkBacksAn alert from US-CERT (Computer Emergency Readiness Team) on Monday warns of a malicious email campaign spreading the Dyre banking Trojan, also known as Dyreza.
The wave of messages started to appear since the middle of the month, US-CERT claims, and the actors behind them do not discriminate as far as recipients are concerned.
Old Adobe Reader vulnerabilities used in new attacks
It appears that the campaign has several variations with regards to the sender address, theme of the email and the exploits used. However, the ultimate goal is to lure the recipient to open a malicious attached file, which, according to CERT, purports to be an invoice in PDF format.
The document (Invoice621785.pdf) is weaponized and carries exploits for old vulnerabilities in Adobe Reader. As such, the cybercriminals target users with old unpatched versions of the document reader.
One of the vulnerabilities leveraged is CVE-2013-2729, which allows execution of arbitrary code in Adobe Reader and Acrobat versions earlier than 9.5.5, 10.1.7 and 11.0.03.
The Dyre banking Trojan is not a new malware family as it was spotted for the first time in June this year. Since then, the malicious tool was identified in multiple cyber incidents, one of the most prominent being against customers of Salesforce in September.
Users are advised to exercise caution when receiving unsolicited emails and pay particular attention to the spelling in the body and the subject of the message as this is an indicator of fraud. Also, the presence of Google Update Service could be a sign of infection.
Cybercriminals have been testing user vigilance all summer
The Trojan is designed to steal log-in information, banking details in particular, and send it to its operator. However, the piece was adapted for other types of credentials and in a recent incident it has been observed to include bitcoin websites on the list of targets in the configuration file.
Email campaigns having the delivery of Dyre as the ultimate goal have been carried out all summer, as this seems to be the preferred method of the cybercriminals behind it.
It has been seen in phishing emails purporting to come from the JP Morgan financial institution, as well as in messages claiming to be notifications for new voice messages.
The malware has been improved in the months following its release in the wild, up to the point that it used its own SSL certificate to secure communication with the command and control server and to hide malicious traffic.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
-
10-30-2014 #1Extreme User
- Reputation Points
- 42493
- Reputation Power
- 100
- Join Date
- May 2014
- Posts
- 7,971
- Time Online
- 87 d 5 h 16 m
- Avg. Time Online
- 34 m
- Mentioned
- 576 Post(s)
- Quoted
- 180 Post(s)
- Liked
- 4129 times
- Feedbacks
- 173 (100%)
US-CERT Alerts of Ongoing Phishing Campaign Delivering Dyre Banking Trojan
Reply With Quote
