DHS Warns - Dyre Being Used to Rob Banking Credentials

Threatpost.com reported on 28th October, 2014 stating that the Department of Homeland Security (DHS) formally sounded the alarm recently on Dyre saying that the banking Trojan has been spotted stealing banking credentials from both large enterprises and major financial institutions lately.

United States Computer Emergency Readiness Team (US-CERT) alerted through a warning informing public about the malware which is distributed through spam and phishing emails.

US-CERT says that phishing emails peddling Dyre are now using malicious PDF attachments leveraging vulnerabilities (namely CVE-2013-2729) in old which is an un-patched versions of Adobe Reader to download the malware and once it is downloaded, it captures login information and sends that to attackers.

Securityweek.com published news on 28th October, 2014 quoting an advisory note of US-CERT as "a phishing campaign with Dyre/Dyreza banking malware has targeted a wide variety of recipients since mid-October 2014. Elements of this phishing campaign differ from target to target including attachments, senders, themes, exploits and payload(s). The actor's main purpose is to entice recipients to open attachments and download the malware by using various tactics."

Experts are advising users to be careful of unwanted emails and particularly pay attention to spell errors in the message and subject of the email as these indicate fraud. Also, existence of Google Update Service could be a mark of infection.

The Trojan (referring to Trojan) is designed to rob log-in credentials, especially banking details and mail it to operator. However, the strain was adapted for other kinds of credentials and in a recent happening it has been found that bitcoin websites have been included in the target's list of the configuration file.

Cybercriminals prefer the method of sending Dyre through email campaigns which is their ultimate goal and they have carried it out throughout the summer.

It has been seen that an email purporting to be from JP Morgan finance as well as in messages asserting to be a notification of a new voice message being available.

US-CERT advises users and administrators to follow basic security steps like not to click unsolicited links in email and should be careful while opening any attachments in email.

» SPAMfighter News - 11/6/2014