Dyre Targets More Websites

The Dyre Trojan has expanded its attack vectors, aiming to harvest sensitive data from an expanding list of targeted websites.

Previously, Dyre had been known to seek out banking credentials as its primary targets, but ThreatTrack Security Labs researchers recently discovered multiple new types of domains, which have become part of Dyre’s standard target index.

While Dyre has added more file hosting and email domains to its attack list — pretty standard fodder for redistributing itself via malware — it has now appended a few new types of domains, including popular job hunting, file hosting, tax services, online retail and Internet Service Provider (ISP) websites.

Labs researchers used Wireshark to monitor Dyre’s TCP connections.

TCP snapshot of Dyre sending the contents of an HTTPS connection to Dyre’s server

The Labs team was then able to acquire configuration data from an active infection. Click here for the configuration file they pulled.

Based on experience in the field and initial investigations into these new targets, our Labs team has compiled the following list of potential reasons for attack:

FILE HOSTING

Could be used to register new sites and modify existing ones. Likely used for hosting malware.

  • iweb.com
  • lunarpages.com
  • networksolutions.com
  • godaddy.com
  • hostgator.com
  • bluehost.com
  • enom.com

JOB HUNTING

Gathering identity information, campaign templates or targets.

  • glassdoor.com
  • monster.com
  • indeed.com
  • simplyhired.com
  • careerbuilder.com

E-COMMERCE

Acquiring hardware and user information.

  • newegg.com
  • sellerportal.newegg.com

GENERAL INFORMATION

Site records for targeting, templates and other attacks.

  • accurint.com
  • thomsonreuters.com
  • stamps.com

CORPORATE MAILING

Can aid in email distribution of malware or other attacks.

  • mailchimp.com
  • mandrillapp.com

INTERNET SERVICE PROVIDERS

Enterprise account information used for further targeting or templates, data gathering, access corporate data and similar purposes.

  • wireless.att.com
  • smb.att.com
  • businessdirect.att.com
  • verizonenterprise.com
  • verizon.com

INCOME TAX SERVICES

Personal income and account information, due to the nearing proximity of tax season.

  • turbotax.com
  • intuit.com
  • hrblock.com

Defend Yourself Against Dyre

End users should be reminded not to open attachments without regard for security. Dyre is often triggered via infected .zip files (containing Upatre) and .pdf attachment exploits.

For help educating users, reference Users Beware: 10 Security Tips to Share with Your Users.

Disclaimer

The information presented in this post may contain names and images associated with real companies. There is no evidence that any of the sites mentioned have been compromised. Users with computers infected with Dyre may be at risk of having their personal information stolen when visiting these sites. 

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Share via email Share

ThreatTrack Security Labs

About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.