report / Apr 12, 2015

Dyre In-Depth: Server-side Webinjects, I2P Evasion, and Sophisticated Encryption

by Avi Shulman, Hadas Dorfman

Dyre is one of the most sophisticated banking and commercial malware agents in the wild. This trojan uses fake login pages, server-side webinjects, and modular architecture to adapt to the victim. This in-depth report looks at the entire fraud flow and its capabilities.

Dyre is a relatively new banking Trojan, first seen in the beginning of 2014. It soon emerged as one of the most sophisticated banking and commercial malware in the wild. Although it mainly targets online banks, it steals other types of credentials as well. Dyre uses many new techniques such as completely fake login pages, server side web-injects, and modular architecture. The level of sophistication and the constant upgrading of its capabilities suggest that it is here to stay.

Many have written about this new threat. However, few have succeeded in covering the entire fraud flow and all of its capabilities.

Just like most other malware, Dyre spreads via phishing campaigns. The infection process has several stages. First, the victim receives an email, similar to the template above, containing an attachment. Once the victim opens the attachment, he or she unknowingly executes the "Upatre" malware downloader. It then downloads and infects the machine with the actual Dyre malware. In the last stage, the malware uses a spamming tool to send similar emails and continue spreading.

Attackers use several methods to evade security solutions and researchers. Dyre constantly changes its "packing"—a technique for changing the binary code without changing its functionality, so it won’t be detectable or readable.

To see the full version of this report, click "Download" below.

MODIFIED: Feb 22, 2017

Tags: , , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.