Salesforce.com is warning its customers that the Dyreza banker Trojan is now believed to be targeting some of the company’s users. The Trojan, which has the ability to bypass SSL, typically goes after customers of major banks, but seems to be expanding its reach.
Dyreza is relatively new among the banker Trojan crowd and it hasn’t had the reach or effect of older bankers such as Carberp or Zeus. But it has some interesting capabilities that make it troublesome. The malware installs itself on a victim’s machine after a user clicks on a malicious attachment in a spam message. Once on the machine, Dyreza reaches out to a C2 server and waits for the victim to visit a targeted banking site. The malware uses a technique known as browser hooking to intercept traffic before it’s encrypted on the way to the bank’s site.
“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says.
Most banker Trojans tend to stay in their lane and simply go after banks. That’s where the money is, after all. But Dyreza is broadening its horizons to target Salesforce.com customers.
“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” the Salesforce.com statement says.
The company emphasized that Dyreza isn’t taking advantage of any vulnerabilities in Salesforce’s systems, but warned customers that the malware is attempting to steal user credentials. Salesforce credentials would be quite valuable for an attacker targeting a specific organization. Customers use the company’s services to run internal sales operations, CRM and other sensitive functions, so valid credentials for those systems would give an attacker an invaluable foothold in an organization.