The Dyreza Trojan is nothing if not ambitious. The malware has been spotted doing a variety of interesting things in the last year, including bypassing SSL and targeting users of specific business apps. Now the Trojan is exploiting the recently disclosed CVE-2014-4114 vulnerability in Windows that was first used by the Sandworm attackers.
Researchers at CSIS in Denmark have identified a new spam campaign carrying the Dyreza Trojan that is targeting customers of various Swiss banks. Dyreza typically is found in spam or phishing emails, often purporting to come from a bank or financial institution. The emails often will be disguised as invoices or communications from the bank and will contain a malicious attachment.
“The most recent campaigns observed have arrived as spam e-mails to victims with a PPT attachment that exploit a vulnerability: CVE-2014-4114, also known as ‘Windows OLE Remote Code Execution Vulnerability’. As a sidenote this exploit was first seen abused in Sandworm APT attacks against Poland and Ukraine. If the software is not updated, arbitrary code is executed and Dyreza is then downloaded to the host and run,” Peter Kruse of CSIS said in an analysis of the new campaign.
The Sandworm attackers are an APT team that has targeted organizations in Eastern Europe and researchers at iSIGHT Partners earlier this month revealed details of the team’s activities. The most interesting aspect of the Sandworm campaign is its use of the CVE-2014-4114 vulnerability, which was a zero day flaw at the time. Now other attackers have picked up the baton from the Sandworm team and are using the vulnerability for themselves.
Once it’s installed on a compromised machine, Dyreza shows up as a fake Google Update service and runs every time the machine is started.
“On Microsoft Windows 7, it injects itself into explorer.exe process and hooks the browser. A slightly different approach is used on older Windows versions, on which it injects into the svchost.exe process instead,” Kruse said.