The Upatre Trojan and the Dyre remote access tool (RAT) malware have formed an unholy union, spawning a new downloader that researchers from PhishMe have called “Mini-Dyre.”
Upatre typically uses spam email messages to spread. Typically, an email attachment contains a malicious ZIP file, which extracts as an SCR file that imitates a screensaver or an Adobe PDF document. In actuality of course, it’s malware that then sends off for and installs additional malware: As recently as October, campaigns were spreading that downloaded the Dyre banking threat, which can steal personal information like online banking user names and passwords.
Researchers at PhishMe have now found that Dyre’s combines characteristics of Dyre with Upatre code to create a new downloader altogether.
They have uncovered that now, once the victim clicks the link in the mail, the redirection scripts direct the user to download an update for the new Outlook settings. Clicking on the malicious download link generates an initial GET request that downloads JavaScript code to pull further scripts.
These scripts generate yet more GET requests, that in turn download a base64 encoded .zip file; the user is then quickly re-directed to Microsoft.com in the background to make the download appear legitimate.
Upon execution of the malware, an interesting beacon appears. “[We see] the download of the file from Upatre, but we are seeing references to the IP address from the Dyre beacon,” explained PhishMe researchers Ronnie Tokazowski and Shyaam Sundhar, in an analysis. “This is significant because this shows a blending of Dyre and Upatre code into a new downloader, which we’ve dubbed Mini-Dyre.”
Once Mini-Dyre is downloaded, it’s saved as a randomly named executable, executed and injected into the memory, and connects to the command and control server, with messages encrypted via SSL. After a few minutes of being connected, Dyre downloads another tool, a mass-mailer, and the cycle begins again.
“With the rapid evolution of the phishing delivery mechanisms, malware downloaders and the malware itself, we will have a very interesting year,” the researchers said. The rate at which Dyre and Upatre have changed is rather amazing.”