The Department of Homeland Security formally sounded the alarm Monday on Dyre, the banking Trojan that’s been spotted siphoning banking credentials from both large enterprises and major financial institutions as of late.
The warning came in the form of an alert from the United States Computer Emergency Readiness Team (US-CERT) informing the public of the malware, which is spread through spam and phishing emails.
According to US-CERT, phishing emails peddling Dyre are now using malicious PDF attachments that leverage vulnerabilities (namely CVE-2013-2729) in old, unpatched versions of Adobe Reader to download the malware. Once it’s downloaded, it captures user login information and sends that on to attackers.
It should come as no surprise that experts are encouraging users to use caution when it comes to opening attachments – especially those with suspicious-looking names like Invoice621785.pdf – and following links in emails.
After it’ has been installed, the malware copies itself under C:\\Windows\[RandomName].exe and disguises itself as a fake program, Google Update Service.
The Trojan has existed in one form or another since early summer, but US-CERT is claiming this particular campaign started targeting recipients in mid-October.
Last month Salesforce, a customer relationship management company, claimed the malware, also known as Dyreza, was taking aim at its customers. In that series of attacks, criminals used the malware to conduct man-in-the-middle attacks to “read anything, even SSL traffic in clear text,” according to a write-up by the CSIS Security Group.
Another variant of the malware was spotted days later that was fine-tuned to steal client certificates and browser cookies, suggesting that some versions of Dyre may be much more refined than the versions that surfaced in June.