The criminals who unleashed a variant of the Dyre banking Trojan recently may have more up their sleeve than harvesting Salesforce.com credentials.
Analysis of a sample conducted by SaaS security company Adallom determined that the new strain of Dyre is targeting large enterprises in addition to major financial institutions, and includes functionality that can steal client certificates and browser cookies. Having these means of authentication at their disposal, means attackers can have the same account persistence as a legitimate user and access internal and Internet-facing services.
Dyre, meanwhile, still has an appetite for banks, but Adallom researchers determined the malware isn’t targeting personal or small business accounts. Instead, the target configurations are bank log-in forms for large banks in addition to corporate accounts.
“The whole operation is much bigger than just accessing Salesforce,” said director of research Tomer Schwartz. Salesforce.com warned its customers on Sept. 8 that Dyre, also known as Dyreza, was targeting its customer accounts.
Dyre is spread via spam or phishing emails, and once it infects a machine, one of two modules is loaded, depending on whether a URL is on a target list. If not, a generic module is loaded that copies POST data from a browser and sends it to the hacker’s command and control server. This module is unable to inject code, Schwartz said, but reams of plaintext data is sent back to the attacker, including credentials.
If the URL is on a target list, a different configuration is sent, one that pulls off a man-in-the-middle attack by redirecting traffic to the attacker’s server. A feature called browsersnapshot enables Dyre to grab session cookies and client certificates, as well as private keys from the Windows Certificate store for Internet Explorer and Firefox’s certificate database. The browser is tricked into using the legitimate certificate, Schwartz said, which in the possession of the attacker allows him to inject code into the session such as a phony log-in page. All the while, the attack also bypasses SSL.
“If I’m able to grab the session cookie and client certificate, for all intents and purposes, I am you to the application even though I haven’t hijacked the session you’re using,” said vice president of strategy at Adallom, Tal Klein. “That’s one thing Zeus doesn’t do.”
Banking malware campaigns don’t usually target client certificates, for example, because they’re rarely used by personal accounts for day-to-day log-ins, Schwartz said.
“The fact they pushed such functionality into the malware being installed on every victim’s machine is interesting because the use of client certificates is not common or useful for major [banking] campaigns,” he said. “This is much more targeted. They know the victims they’re after.”
Next is determining why Salesforce credentials are so valuable to the attackers, Klein said, adding that they’re looking at mechanisms in Salesforce that could be interesting to someone using it as an attack vector.
“These guys are not interested in things like email; none of the services listed in the target list in the malware are for Office 365, or Google Apps,” he said. “The interesting part that we’re still hypothesizing on is, what does Salesforce data give them. They’re not interested in selling Salesforce on the open market. By the sheer list of targets, there is a correlation between Salesforce and those banking sites. We’re still trying to figure out what that is.”
Adallom posted a full target list on its site, and ironically, Salesforce log-ins were not found on a list of victims to which they could push specific configurations; most of that list was made up of large banks in the UK. Instead, the code targeting Salesforce credentials was found on a proxy server used for targeting websites based on criteria that hasn’t been determined yet, Schwartz said.
One thing that may help is that the attackers may have unintentionally included unique tokens in some of the redirect URLs; Klein said they hope to work with some of the banks in question and possibly identify the attackers.
“We found through [the attackers’] sloppiness that they left rich data in the targeted URLs of banks on their list,” Klein said. “The next phase is to work with some of those banks to investigate how many times they’ve seen session IDs or tokens used to establish new sessions and that may give us an idea of the impact.”