ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections.
The Ruckguv downloader works by injecting a dll into an instance of Windows Service Host (svchost.exe). Windows Service Host then uses HTTPS to download Dyreza from a compromised domain.
Labs researchers note that this new Dyre technique stands out for a few reasons:
- The new dropper is signed with a valid digital certificate
- All the action happens over HTTPS, which is generally less monitored than a HTTP connection
There are also reports of spam messages including links to file sharing and hosting sites, such as sugarsync[dot]com, leading to the download of Ruckguv as well.
This latest variation is apparently just one more way that Dyre attempts to deceive and reproduce; we recently reported on how Dyre was increasing its target range and altering the type of spambots it uses.
As always, users should remain vigilant for files or emails or files that seem suspicious, and ensure their antivirus is up-to-date to protect them from malicious threats.
VIPRE detects files signed with the misused certificate as Trojan.Compcert.42015 (fs).
The downloader uses this code signing certificate to make it seem legitimate:
KONSALTING PLYUS OOO
Valid from 1:00 AM 4/17/2015
Valid to 12:59 AM 4/17/2016
Valid usage Code Signing
Serial number 00 88 07 06 DC AA 0C B0 F2 4B 51 F7 F2 AB 7A 9B 9E
Analyzed md5s for Ruckguv:
Analyzed md5s for Dyreza:
Reported locations of Ruckguv:
Dyreza download points initiated by Ruckguv:
Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs