Banking Trojan Dyreza morphs to target supply chains
Bored of banking, Dyreza turns its attention to high-value targets in the supply chain
Dyreza, the banking malware designed to conduct "man in the middle" attacks in order to steal bank users' credentials, has been found targeting companies in fulfilment and warehousing.
According to security services company Proofpoint, 20 organisations directly involved in supply chain have been targeted, including four software companies that support fulfilment and warehousing, as well as five wholesale computer distributors.
Its credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems and many other well-known consumer- and business-facing technology and service brands, according to Proofpoint.
The attacks kick-off with phishing campaigns designed to appear like emails from a legitimate bank, urging the user to respond to the email securely by clicking on the attachment.
"When the email recipient opens the attachment, they encounter a ‘secure' Office document. The document claims to be encrypted, and the user is urged to "PLEASE ENABLE CONTENT* TO SEE THIS DOCUMENT". Pressing the "Enable Content" button in Word then enables macros embedded in the documents, which in turn activate a secondary payload," according to Proofpoint.
It continues: "The attackers' request for Internet connectivity (in the email body) is significant, as this specific macro, known as 'Xbagging or Bartallex', downloads the payload from Internet, rather than unpacking it from within an email attachment - a technique used to avoid detection by security programs."
The payload downloaded by the document is called 'Upatre', which in turn downloads Dyreza. Dyreza, in addition, may download one of two dedicated spambots to further spread the botnet.
"The specific changes Proofpoint observed are in the ' < rpcgroup>' section of Dyreza's configuration. This section contains directives to Dyreza to sniff POSTs within the users' browser and send them to the Dyre C2... The targeted companies include those in the warehouse and fulfilment business, as well as those that create warehouse and fulfilment software."
Proofpoint claims that the shift in focus from the well-resourced banking sector represents a "clear and deliberate strategy" on the part of attackers to target a new industry, at all points across the supply chain.
It continues: "This latest evolution of Dyreza should dispel once and for all the myth that only financial institutions are targeted by credential-stealing man-in-the-middle attacks from this malware strain. The observed campaigns clearly use sophisticated malware and phishing techniques in targeted attacks against major fulfilment, warehousing and distribution targets."
Proofpoint warned that the motivation for the attacks is no doubt financial - once an attacker obtains login credentials for the targeted systems, they will have a huge amount of power to harvest payment information, make fraudulent financial transfers and even divert physical shipments.