Banker Trojans have proven to be reliable and effective tools for attackers interested in quietly stealing large amounts of money from unwitting victims. Zeus, Carberp and many others have made piles of money for their creators and the attackers who use them, and researchers have been looking at a newer banker Trojan that has the ability to bypass SSL protection for banking sessions by redirecting traffic through the attackers’ own domains.
The Trojan, which is being called either Dyre or Dyreza by researchers, uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site. The malware arrives in users’ inboxes through spam messages, many of which will look like messages from a financial institution. The list of targeted banks includes Bank of America, Natwest, Citibank, RBS and Ulsterbank. Researchers say that much of the activity from the Trojan so far is in the U.K.
When a victim opens the attached zip file in a spam message, the malware installs itself on the machine and then contacts a command-and-control server. Researchers at CSIS in Denmark located a couple of the C2 servers and discovered that one of them had an integrated money mule panel for several accounts in Latvia. The goal of the malware, of course, if to steal users’ credentials for online banking and other financial sites. Various banker Trojans go about this in different ways, and Dyreza’s creators decided to employ browser hooking to help defeat SSL.
“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says.
When users go to one of the targeted financial sites and attempt to log in, the data is intercepted by the malware and sent directly to the attackers. Victims would not have any visual cues that their data is being siphoned off or that the malware is redirecting their traffic to a domain controlled by the attackers and it’s no longer encrypted.
“Here’s the kicker. All of this should be encrypted and never seen in the clear. By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” another analysis by Ronnie Tokazowski of PhishMe says.
“To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking. No DNS queries were performed for the c1sh Bank of America domain, suggesting the attackers simply appended this to the Host field in the network traffic.”
The Dyreza malware has the ability to hook Google Chrome, Mozilla Firefox and Internet Explorer.