Dyre Spreading Using Code-Signing Certificates, HTTPS

ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre  is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections.

The Ruckguv downloader works by injecting a dll into an instance of Windows Service Host (svchost.exe). Windows Service Host then uses HTTPS to download Dyreza from a compromised domain.

Labs researchers note that this new Dyre technique stands out for a few reasons:

  1. The new dropper is signed with a valid digital certificate
  2. All the action happens over HTTPS, which is generally less monitored than a HTTP connection

There are also reports of spam messages including links to file sharing and hosting sites, such as sugarsync[dot]com, leading to the download of Ruckguv as well.

This latest variation is apparently just one more way that Dyre attempts to deceive and reproduce; we recently reported on how Dyre was increasing its target range and altering the type of spambots it uses.

As always, users should remain vigilant for files or emails or files that seem suspicious, and ensure their antivirus is up-to-date to protect them from malicious threats.

VIPRE detects files signed with the misused certificate as Trojan.Compcert.42015 (fs).

Technical details

The downloader uses this code signing certificate to make it seem legitimate:

KONSALTING PLYUS OOO
Status Valid
Valid from 1:00 AM 4/17/2015
Valid to 12:59 AM 4/17/2016
Valid usage Code Signing
Algorithm 1.2.840.113549.1.1.11
Thumbprint F2DAEDD9EFA306C7F7FF2DC5885870AA06947ADD
Serial number 00 88 07 06 DC AA 0C B0 F2 4B 51 F7 F2 AB 7A 9B 9E

Analyzed md5s for Ruckguv:

86f527b816684141f25d7e0ea42c7d8b
dd4654d9c4978204b14c6fb25667fe5c

Analyzed md5s for Dyreza:

eb9bc0e306b955d04a9334e28d3bdce2
f11fb8a7593a449934c0690d7f3454ad

Reported locations of Ruckguv:

  • hxxps://i.nfil[.]es/ZnKlLv.zip
  • hxxps://demo.cozycloud[.]cc/public/files/files/fd7a3dd2b8e41f198cb2c475ea011149/attach/report2104.zip
  • hxxps://files[.]fm/down.php?i=knrryxd&n=report2104.zip
  • hxxps://www.sugarsync[.]com/pf/D3740680_035_720143350?directDownload=true
  • hxxps://www.sugarsync[.]com/pf/D7687781_714_129513481?directDownload=true

Dyreza download points initiated by Ruckguv:

  • hxxps://thewinesteward[.]com/css/Document1704.exe
  • hxxps://relianceproducts[.]com/files/jxpiinstall.exe

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Share via email Share