Dyre Botnet Using Malicious Microsoft Word Macros

The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip.

Dyre’s Hedsen spambot, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot.

As always, users should disable Macros in Office documents, and avoid the temptation to open suspicious attachments.

VIPRE detects the infected .doc as LooksLike.Macro.Malware.gen!d1 (v).

An example spam message using the new infected macro technique.

An example spam message using the new infected macro technique.

The infected .doc file, which also suggests you enable Macros once it is opened.

The infected .doc file, which also suggests you enable Macros once it is opened.

 DETAILS

This particular spambot is now using the following URLs to generate and deliver its infected payload:

The spammer gets the Template letter (which also includes the base64 attachment of the .doc) from:

  • hxxps://109.236.83[.]205/action.php?get_letter

The spammer gets the sender field from:

  • hxxps://109.236.83[.]205/action.php?get_sender

The spammer gets its email target list from:

  • hxxps://109.236.83[.]205/action.php?action=get_mails

Macro doc MD5:

  • 6162c6b0abc8cab50b9d7c55d71e08fe

The macro pulls additional code of websites from:

  • ezzylab[.]com/content-el/6612536153.txt
  • pilsudskiego175[.]pl/modules/mod_araticlws/6612536153.txt

The macro determines which URL to download from:

  • ezzylab[.]com/content-el/lns.txt
  • pilsudskiego175[.]pl/modules/mod_araticlws /lns.txt

As of this post, the macro is downloading from:

  • hxxp://209.193.86[.]41/erwtwgw.exe
  • hxxp://184.164.97[.]60/erwtwgw.exe

The Upatre md5 is:

  • 20357c95962d1cda36eeb7386ea31aea

Upatre reports to its Command and Control at

  • 91.211.17.201

It downloads Dyre though https from:

  • 173.248.22.227/wheel11.png
  • 69.9.204.114/wheel11.png
  • 73.175.203.173/wheel11.png
  • 69.9.204.16/wheel11.png
  • 69.9.204.31/wheel11.png
  • 67.206.97.238/wheel11.png
  • 69.9.204.36/wheel11.png
  • 38.124.111.30/wheel11.png
  • 38.124.72.230/wheel11.png
  • 67.206.96.30/wheel11.png
  • 208.80.80.111/wheel11.png
  • 69.8.48.175/wheel11.png
  • 216.245.211.242/wheel11.png
  • 67.219.169.161/wheel11.png

The Dyre MD5 is:

  • 512b7bac1ce4cf63dd9bb6dbe7f16f20

Credit: Matthew Mesa – ThreatTrack Security Labs Researcher

Share via email Share