ThreatTrack Security Labs researchers continue to monitor the evolution Dyre (aka Dyreza), the banking-credential-stealing Trojan that appears to be quickly filling the gap left by the takedown of GameOver Zeus.
We reported earlier on how Dyre has been associated with malicious spam utilizing the Upatre downloader, and our researchers also cited how Dyre’s list of global banking targets continues to grow – expanding beyond traditional financial institutions to target online bitcoin wallets.
Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall.
Other recent additions to the Dyre code include:
- The implementation of a Domain Generating Algorithm (DGA) to quickly cycle through fresh URLs to avoid detection
- The use of peer-to-peer Invisible Internet Project (I2P) protocol for clandestine communications, presumably between infected machines and their Command and Control server masters
- A newly expanded list of targeted banking institution servers. Click here for a complete list of targets.
It is also worth noting that GameOver Zeus (before the government takedown) was downloading Pushdo/Kegotip/ransomware and facilitating its own spread very similar to how Dyre is behaving now.
Click here for a dynamic malware analysis of a recent Dyre sample.
Spammers Set To Maximum
The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments.
We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
Subject: Video shows Norwegian fighter pilot’s
Video shows Norwegian fighter pilot’s close call with Russian MiG
(CNN) — It was a routine call for the Norwegian fighter pilot participating in NATO’s Quick Reaction Alert mission, high in the sky off Norway’s coast.
He was tasked with investigating and identifying an aircraft that had entered the mission’s patrol area in international airspace northwest of Norway.
Fluffy clouds dotted the piercing blue atmosphere, and it looked like it would be a non-eventful mission, until something gray darted in front of the Norwegian pilot’s F-16 — a Russian MiG fighter, according to the Norwegian Defence Ministry. FULL STORY 
* comment on CNN stories and blogs
* submit and comment on iReport assignments
* receive breaking news e-mail alerts
* receive e-mail newsletters
Subject: Tyranny of the police
Our company make a survey research about horrible situation in Ferguson, state MS.
Please, follow the link above, vote and do not pass by!!!
Click here <$url$>
Melinda Goens Paralegal
Subject: Security Concern on Your American Express Account
Security Concern on Your American Express Account
We are writing to you because we need to speak with you REGARDING A SECURITY CONCERN on your account. Our records indicate that you recently used your American Express card on November 24, 2014.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
To secure your account , please click log on to : http://americanexpress.com 
Your prompt response regarding this matter is appreciated.
American Express Identity Protection Team
Subject: Update your PayPal account
Dear valued PayPal=C2=AE member*:
Due to concerns, for the safety and integrity of the paypal account we have issued this warning message.
It has come to our attention that your PayPal=C2=AE account information nee=ds to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension.
Please update your records on or before June 30, 2005.
Once you have updated your account records your paypal account service will not be interrupted and will continue as normal.
To update your PayPal=C2=AE records click on the following link:
*Click here* <$url$>
*PayPal=C2=AE UPDATE TEAM*
Subject: Payment Advice – Advice Ref:[GB$number5$] / CHAPS credits
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
Global Payments and Cash Management
Subject: Employee Documents – Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: $url$
Documents are encrypted in transit and store in a secure repository
Subject: Voice Message #$number9$
Sent date: $date$
Subject: Voice Message #$number9$
Voice redirected message
Subject: Fax message
Fax Message [Caller-ID: 1-407-$number2$-$number3$]
You have received a 3 page fax at $date$.
* The reference number for this fax is chd_did11-1$number8$7-1$number9$-$number2$.
View this fax using your PDF reader.
Thank you for using the MyFax service!
Subject: ADP Past Due Invoice
Your ADP past due invoice is ready for review at ADP Online Invoice Management.
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
VIPRE detects Dyre as Win32!MalwareDrop and the spammers as Trojan.Win32.Spammer (fs).
The MD5s for the spammer responsible for the campaign above, include:
Defend Yourself Against Dyre
Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security. For help, reference Users Beware: 10 Security Tips to Share with Your Users.
Consumers should always be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by phone to confirm.
Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs
Update: The American Express ploy is a phishing campaign very similar to what has been reported at TechHelpList.