This post was authored by Alex Chiu & Angel Villegas.
Banking and acute cyberbanking advice is a awful coveted ambition for attackers because of the aerial bulk and accessible cyberbanking implications. In the able year, a ample bulk of absorption has been centered on Point of Sale (PoS) malware due to its aloft role in the accommodation of several retailers. While PoS malware is a aloft concern, attackers accept additionally able that targeting alone end users is an able adjustment of agriculture added types of cyberbanking data. As a result, cyberbanking malware has become a accustomed chic of malware that poses a aloft blackmail to users and organizations of all sizes. One of the added able-bodied accepted examples of cyberbanking malware is Zeus.
Table of Contents
OverviewTechnical AnalysisDomain Bearing AlgorithmOther ThoughtsConclusionAppendix
Banking malware about operates by redirecting users to awful phishing sites area victim’s ascribe their cyberbanking accreditation cerebration they are logging into their bank’s website. Banking malware can additionally achieve added stealthily by hooking into a browser’s functionality, capturing the victim’s accreditation as they are typed in, and exfiltrating them. Once an antagonist has a victim’s cyberbanking credentials, attackers can again advertise it or use it to achieve adulterous affairs (such as appointment funds to addition annual on account of the victim).
Dyre is an archetype of cyberbanking malware appliance this aforementioned behavior by hooking itself into the victim’s browser to abduct coffer credentials. Talos has apparent Dyre bear through spam and phishing emails beatific to users. Attackers use amusing engineering admission to adeptness these letters to arise as if there’s a fax (or some added array of message) absorbed that is advised for the user. This entices victims to bang on the accessories and accessible them. In the accident that a user downloads and opens the attachment, an Upatre trojan alternative will activate downloading Dyre and assassinate it. Below is an archetype one of the phishing letters Talos has empiric targeting users.
Talos has additionally apparent attackers accelerate out phishing letters with links to pages that will serve awful agreeable that ultimately additionally installs Dyre assimilate the victim’s computer. Once Dyre has installed itself assimilate the system, it will abduction coffer accreditation and abjure them to command and ascendancy servers beneath the attacker’s control.
Previously, versions of Dyre acclimated hardcoded URLs to acquaint with the command and ascendancy servers. However, the latest versions apply a area bearing algorithm to acquiesce attackers to bigger anonymize their basement and balk detection. A area bearing algorithm, or DGA, is an algorithm acclimated to compute a accidental attractive area name for any accustomed time based on a predefined variables. Attackers apply DGAs to accord malware the adeptness to compute area the command and ascendancy servers will be at any accustomed time. Dyre incorporates this convenance in adjustment to abide operational aback the attackers change the area name daily. In the accident that a victim becomes compromised, blocking associated Dyre cartage appliance blacklists becomes difficult because it’s not accessible what area name Dyre will use to buzz home.
Talos has about-face engineered Dyre to absolutely accept how the DGA is written. Our allegation are abundant added on and are awful abstruse in the attributes accustomed the complication of the subject. Replicating the DGA allows analysts and advisers to enumerate the dynamically generated area names and add them to URL blacklists. This agency that, in the accident a user apprehension up compromised by Dyre, URL blacklisting will be able to anticipate Dyre from communicating with the command and ascendancy servers.
Talos’ ambition is attention chump networks, and our assay into Dyre’s DGA allows us to achieve this ambition by accouterment assorted agency of audition and blocking associated traffic. As attackers evolve, defenders will additionally charge to advance and accept how attackers are affective to balk defenses. Reverse engineering Dyre’s DGA enables Talos to enumerate the dynamically generated area names for blacklisting purposes. In accomplishing so, we are able to accommodate addition band of aegis that works in affiliation with the blow of the articles Talos supports to assure users beyond the absolute advance continuum.
The alien band of Dyre is a graphical user interface (GUI) based program, created appliance Microsoft’s Foundation Chic libraries (also accepted as MFC libraries). MFC libraries aid developers in creating GUIs, but additionally makes abandoning added difficult due to chic objects, vtables, and layers of indirection. This agency that awful behavior can be tucked abroad in abounding places central the appliance (i.e. initializing the application, creating a toolbar, antibacterial a window, etc.). Opening Dyre in IDA Pro shows a minimalistic WinMain function.
Dyre utilizes the MFC libraries and accouterments a ample bulk of the GUI, such as constructors/destructors of several GUI altar and accident handlers for assorted GUI events. However, Dyre bound raises an exception, causing the barring abettor to adjure the action of interest. The amount functionality can be begin in a custom destructor for the CWinApp article (the base of a Windows appliance object). The custom destructor will abstract and assassinate the aboriginal date of shellcode. The aboriginal date shellcode (S1) is acquired from absolute bytes aural Dyre’s .text section. S1 is baby and performs a brace of tasks to set up the aing stage. Afore it can be used, the folio permissions of the .text area are afflicted to read, write, and execute. S1 is bleared with a simple XOR scheme. To complicate the about-face engineering process, the blank to de-obfuscate S1 is advance beyond four baby functions.
S1 dynamically endless added APIs in adjustment to extract, de-obfuscate and assassinate the additional date shellcode (S2). S2 will arouse a burst and bleared executable from altered regions in the aboriginal sample. Once de-obfuscated, S2 will overwrite the aboriginal sample in anamnesis with the new executable and jump to its admission point. The backup Dyre executable (which we’ll accredit to as rDyre) is a approved animate appliance that does not use the MFC libraries and does not advance obfuscation on appearance strings.
The purpose of rDyre is to authorize Dyre as a Windows Service. Establishing Dyre as a account provides alternation beyond reboots as able-bodied as admission to a Arrangement Aegis token. rDyre will assay to see if it’s been already installed as a account by appliance appliance the Windows Account APIs. If the API calls fail, again rDyre will advance to install Dyre as a service. In either case whether accession succeeds or fails, rDyre will additionally authorize itself in the accepted Windows affair by injecting a DLL into either explorer.exe or svchost.exe. This DLL is the third date (S3) in the Dyre alternation of execution. In adjustment to ensure a archetype of the Dyre DLL is active at all times, Dyre uses the “Globalbdm2wosh32” mutex as a arresting to announce it has injected itself and active for any added Dyre processes.
The action by which Dyre installs itself as a account follows a circuitous beheading flow. Dyre consistently determines area it’s active from in adjustment to actuate what to do next. In this sample, Dyre checks to see if it’s active from the Windows agenda or from the user’s Temp agenda afore attempting to authorize itself aural the Windows affair and on the system.
Initially aback Dyre begins executing, it will acceptable be alfresco of the user’s Temp agenda and Windows directory. Dyre will aboriginal archetype itself to the user’s Temp agenda beneath a about generated 15 appearance cord (which we will accredit to as “Name1”), assassinate the new archetype of itself, inject itself into the explorer.exe process, and actualize the “Globalbdm2wosh32” mutex. The new archetype (Name1) of Dyre will again achieve the aforementioned assay to actuate area it’s active from and again advance to archetype itself into the Windows agenda beneath addition about generated 15 appearance cord (referred to as “Name2”), and assassinate the additional copy.
The additional archetype (Name2) of Dyre will advance annul the aboriginal archetype (Name1) from the antecedent location, and again assay for the attendance of the “Globalbdm2wosh32” mutex afore injecting itself into the svchost.exe process. If Dyre detects it’s actuality able from aural the Windows directory, it will assay and install itself as the “googleupdate” account afore proceeding to assay if the “Globalbdm2wosh32” mutex is present and injecting itself into the svchost.exe process. If Dyre is active as account already from aural the Windows directory, Dyre will again spawn a non-service action of itself.
The afterward breeze blueprint explains the action Dyre follows in relocating itself and establishing persistence:
As we mentioned before, S3 is the DLL that gets injected into one of two Windows processes. S3 is retrieved from rDyre’s ability area afore it is injected into explorer.exe or svchost.exe. rDyre has three assets (xfevepwmw, be2e393ne and vdfd1f6ed). Assets be2e393ne and vdfd1f6ed are S3 for x86 and x64 architectures, respectively. Both assets are bleared appliance a 256 byte barter cipher, the barter table is ability xfevepwmw.
Deobfuscating the shellcode can be able concisely in Python.
rDyre has a hardly altered way of injecting into a active explorer.exe or svchost.exe than best malware. Best malware will inject blank in a brace of altered ways:
rDyre maps S3 into svchost’s basic anamnesis via NtMapViewOfSection. At this point best malware will either annex the cilia already active in the action (making use of GetThreadContext and SetThreadContext, and ResumeThread) or actualize a new one (making use of CreateRemoteThread). Not rDyre. Instead it uses ZwQueueApcThread to specify the alpha abode of the shellcode injected into the process.
Asynchronous Procedure Calls (APCs) are functions that executes asynchronously in the ambience of a accurate thread. Aback an APC is queued to a ambition thread, the arrangement issues a software arrest to accroach a thread. Think of it as extenuative off the beheading ambience of a cilia in adjustment to alpha active some altered code. Once the blank returns, the aboriginal cilia ambience is adequate and executed. Dyre locates a abeyant cilia in the alien action and prempts it with S3. ZwQueueApcThread allows for the addition to specify three arguments that will be anesthetized to the thread. rDyre sends the APC cilia the alpha abode of the shellcode injected as the aboriginal argument. S3 contains an anchored PE file.
The anchored book is not bleared and is loaded into anamnesis by S3. The anchored PE book is a DLL, the amount functionality of Dyre. The DLL has no exported functions and bristles assets (4et5dphf7, 7qvndbku0, ty2h4if34, 4et5dphf7, and 5r3ywoac6). A quick attending at the strings in the DLL provides a acceptable alpha for assay networking functionality. Below is a account of some strings aural the DLL:
The cord ”
” sticks out aback newer versions of Dyre use SSL to defended their arrangement cartage and anchorage 443 is about acclimated for HTTPS traffic. The alone advertence to the cord is a action (located at 0x100082C3) appliance the cord as the architecture cord altercation for wsprintfA. The architecture cord prints out byte ethics as two lowercase ASCII ethics except the cord afore the anchorage number. Allegory the function, %s is angry to a top akin area (TLD) lookup table Dyre uses. The TLD acclimated is abased on a cardinal anesthetized in as the additional altercation to the function. The blow of the cord is created from abstracts generated from a alarm to an alien accepted at basic abode 0x10006D88. This accepted anon calls addition action that sets up an initialization agent accepted for the SHA256 algorithm (IV: [0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19]). Instead of appliance the Win32 APIs accessible for creating hashes, Dyre either has statically aggregate in a SHA256 accomplishing or included their own implementation. Backtracking to ascertain the ascribe for the hashing action we acquisition it is a chain of the UNICODE cord and accumulation altercation anesthetized to the action via a alarm to wsprintfA with the architecture cord “%s%d”. The alone catechism now is what is the cord and cardinal bulk anesthetized to the accepted at 0x100082C3 (renamed dga_create_domain). Luckily dga_create_domain is alone referenced from one abode and central a baby loop.
Within the baby bend it becomes bright the cardinal bulk anesthetized to create_domain is a bulk in a hardcoded range, [0, 333). Afore the bend accepted 0x10008291 (renamed get_system_time_year_month_day) is alleged with the aforementioned absorber anesthetized to dga_create_domain. Central get_system_time_year_month_day, the arrangement time is acquired and formatted as a year-month-day string. Now that the dga_create_domain arguments are accepted the DGA can be understood.
The aloft diagram visually shows Dyre’s DGA for the date July 4, 2015 and the ascribe cardinal 16. This is alone one of 333 accessible domains achieve anniversary day by the algorithm. Below is a Python accomplishing for breeding Dyre’s DGA for a distinct day.
As a malware researcher, specific behavior (expected or witnessed) can be traced aback to assertive APIs acclimated by the malware developers. For example, award a DGA after-effects in attractive for places area domains will be bound to IP addresses. The antecedent abode was to locate area name to IP abode about-face (functions agnate to gethostbyname). However, Dyre creates several abbreviate lived processes, injects into added processes, and doesn’t dness generated domains anon afterwards creation. This abode led to allegory an injected burden that could be the phishing downloaded by Dyre or some added area of Dyre. Either way, it didn’t crop the DGA. At that point it became bigger ill-fitted to alpha from the alpha of the sample and assignment through the layers. This can be difficult depending on any anti- analysis/debugging/virtualization techniques active through the layers. It became all-important to use several altered accoutrement and techniques to get from one band to another. Aback Dyre keeps amount functionality alone in memory, accoutrement like Volatility, WinDbg (remote atom debugging), and userland debuggers were capital to auctioning anamnesis for changeless analysis. This action allows unimportant functionality to be skipped and ensure anti-analysis techniques are bypassed. Aback shellcode takes added accomplishment to develop, it’s about accustomed baby tasks, such as loading the aing stage, accouterment anti-analysis functionality, or extracting and loading added executables. In this assay of Dyre, the shellcode was analyzed aloof continued abundant to acquisition area it was appointment to the aing date and if there were any tricks to anticipate analysis.
Talos’ ambition is attention our barter from malware, including cyberbanking malware such as Dyre. As attackers advance their admission to advance a low contour and balk detection, defenders additionally charge to advance and accept how attackers are aggravating to balk detection. In adjustment to achieve this, about-face engineering malware samples becomes all-important to accretion a bigger compassionate and to advance protections that can block malware at assorted credibility in a defense-in-depth approach.
Reverse engineering Dyre to accept the DGA allows Talos to enumerate the generated area names acclimated to host the command and ascendancy servers. Talos can booty these generated area names and augment them into our URL and area blacklists. By accomplishing this, we can ensure that barter are adequate beyond the absolute advance continuum appliance a defense-in-depth admission should the antagonist bypass added defenses. In the accident that a user apprehension up compromised by Dyre, they are still adequate from aperture acute advice because URL blacklisting will anticipate advice to the awful domains.
SHA256 of Reversed Sample:
We animate organizations to accede aegis best practices, starting with a threat-centric admission that accouterments protections beyond the continued arrangement and beyond the abounding advance continuum.
ESA can block phishing emails beatific by blackmail actors and anticipate exposure.
CWS/WSA web scanning prevents admission to websites hosting awful content.
Advanced Malware Aegis (AMP) is advised to anticipate the beheading of the malware acclimated by these blackmail actors.
Network Aegis appliances, such as NGIPS and NGFW, accept signatures to ascertain and block awful arrangement action by blackmail actors.
The chase is a account of strings begin aural the S3 DLL file.
Why You Should Not Go To Ascii Resume Template | Ascii Resume Template – ascii resume template
| Welcome to the blog, on this moment I’m going to show you regarding ascii resume template