Overview
Within the last week, the now infamous “man-in-the-browser” (MITB) banking malware Dyreza appears to have significantly expanded its target set of entities from which to steal credentials.
Dyreza originally focused on intercepting end-user bank logins, and later expanded to job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories [2]. As of September 17th Dyreza now counts an additional twenty organizations directly involved in Fulfillment and Warehousing; four software companies that support Fulfillment and Warehousing; five Wholesale Computer Distributors; and its credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems and many other well-known consumer- and business-facing technology and service brands.
Part I: The Phish
In a typical new campaign, for example the September 22 US-focused Dyre campaign (ID 2209us13), the attackers provided an email that was designed to appear as though it had come from a legitimate bank, and used the Subject line: “You have received a secure e-mail.” The email urged the user to read and reply to the secure email by opening the attachment while connected to the Internet.
Figure 1: Phishing email with attachment
Part II: The Attachment
When the email recipient opens the attachment, they encounter a ‘secure’ Office document. The document claims to be encrypted, and the user is urged to “PLEASE ENABLE CONTENT* TO SEE THIS DOCUMENT.” Pressing the “Enable Content” button in Word then enables macros embedded in the documents, which in turn activate a secondary payload. The attackers’ request for Internet connectivity (in the email body) is significant, as this specific macro, known as Xbagging or Bartallex [1], downloads the payload from Internet, rather than unpacking it from within an email attachment a technique used to avoid detection by security programs.
Figure 2: The malicious attachment
The payload downloaded by the document is Upatre, which in turn downloads Dyreza. Dyreza in addition may download one of two dedicated spambots to further spread the botnet.
Part III: The New Targets
The specific changes Proofpoint observed are in the “<rpcgroup>” section of Dyreza’s configuration. This section contains directives to Dyreza to sniff POSTs within the users’ browser and send them to the Dyre C2. As can be seen below, the targeted companies include those in the Warehouse and Fulfillment business, as well as those that create Warehouse and Fulfillment software.
Conclusion
The specific changes observed represent a clear and deliberate strategy on the part of attackers to target a new industry, at all points across the supply chain. In that regard, this latest evolution of Dyreza should dispel once and for all the myth that only financial institutions are targeted by credential-stealing MITB attacks from this malware strain. The observed campaigns clearly use sophisticated malware and phishing techniques in targeted attacks against major Fulfillment, Warehousing, and Distribution targets. We suspect a financial motivation. Once an attacker has obtained login credentials for their targeted systems, the potential to harvest payment information, make fraudulent financial transfers, and even divert physical shipments is immense. In order to stay ahead of attackers, organizations should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.
Organizations Targeted for Interception and Credential Theft
Fulfillment and Warehousing:
Website |
Services provided |
accentbranding.com |
Marketing, Ecommerce, Fulfillment |
access.alivefulfillment.com app.atcostfulfillment.com |
Ecommerce, Fulfillment |
app.shipwire.com |
Logistics, Supply Chain Management and Order Fulfillment |
elink.echodata.com |
Fulfillment |
fcp.efulfillmentservice.com |
Ecommerce Fulfillment |
fmw.ferbermidwest.com |
Storage, distribution and fulfillment services and multiple warehouses |
idsnet.teamidslogistics.com |
Fulfillment & warehousing |
inventory.landiscowhse.com |
Warehousing |
leadersystems.com.au |
Manufacturer & distributor of high quality Information Communications Technology (ICT) products |
login.webgistix.com |
Procuring, warehousing, packaging and shipping |
my.fulfillrite.com |
eCommerce order fulfillment |
secure.aerofulfillment.com |
eCommerce Fulfillment Services |
wdlsslc.idsfulfillment.com |
Fulfillment |
web.nfsrv.com |
Fulfillment |
www.capacityllc.com |
Fulfillment |
www.four51.com |
Online order management system for B2B eCommerce |
www.fsifulfillment.com |
Online Order Fulfillment, Warehousing |
www.sprocketexpress.com |
Ecommerce, Order Processing, Fulfillment and Back-Office service |
www.swfulfillment.com |
Specialty Fulfillment Center |
Software: Inventory management, Warehouse Management, Ecommerce Platform, etc
Website |
Services provided |
qnet.e-quantum2k.com |
Software: print distribution, order entry, inventory management, accounts receivable / payable, ledger, credit card processing, sales tax import, etc |
secure-wms.com |
Warehouse Management Software |
speedorder.speedfc.com www.speedcommerce.com |
Ecommerce platform development; hosting, managed ecommerce, and marketing services; order and inventory management; pick, pack, and ship; returns processing; and 24/7 customer care |
www.shopify.com |
Build your online store with Shopify's ecommerce software |
Wholesale Computer Distributors:
Website |
Services provided |
ec.synnex.com www.synnex.ca |
Information technology supply chain services. Canadian Wholesale Computer Distributor. |
us-new.ingrammicro.com |
Wholesale technology products distributor; sales and distribution network |
www.anyware.com.au |
Importers and wholesalers of computer components and peripherals |
www.bluechipit.com.au |
National wholesalers of computer components, systems and peripherals |
www.bluepoint.net |
UK Distributor of IT Products: Components, Peripherals, Systems and Notebooks |
Other:
Website |
Services provided |
secure*.store.apple.com |
Apple |
li.ironmountain.com |
Storage and information management |
www.otterbox.com |
Smartphone Case manufacturer |
www.badgergraphics.com |
Print management and marketing firm |
IOCs
Value |
Type |
5f707df691a7820bfe530f394bef61c1f7fd48496bff120bd2bcb6c9c9a550ae |
Attachment hash |
afce5c6f08f26ebb12b9724fcb04009a9d54bb02c388e686135a381cecda8237 |
Upatre (id 22_U13) hash |
dc8849a7d9c25b4168327259bfd82e83bb308485824664b19e79c6c6be998f8c |
Dyreza (id 2209us13) hash |
197.149.90.166 |
Upatre C2 |
195.154.105.117:443 |
Dyreza C2 |
217.12.202.99:443 |
Dyreza C2 |
[hxxp://quotearabiasale[.]com/wp-content/themes/ePix/lib/adm/inc/phpFlickr/cache/5716367236.txt] |
Xbagging additional code |
[hxxp://sahabatbuku[.]com/wp-content/themes/bazar/core/assets/images/menu/5716367236.txt] |
Xbagging additional code |
[hxxp://quotearabiasale[.]com/wp-content/themes/ePix/lib/adm/inc/phpFlickr/cache/pipi.txt] |
Xbagging payload URL |
[hxxp://sahabatbuku[.]com/wp-content/themes/bazar/core/assets/images/menu/pipi.txt] |
Xbagging payload URL |
[hxxp://pcsolutionsexpert[.]com/wp-content/uploads/2015/08/calc.exe] |
Upatre |
[hxxps://94.40.82.66/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://94.141.130.9/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://91.246.105.164/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://89.239.120.43/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://87.249.142.189/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://85.135.104.170/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://82.160.64.45/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://82.115.76.211/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://78.72.233.105/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://78.108.101.67/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://77.48.30.156/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://72.230.82.80/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://72.175.10.116/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://69.9.204.114/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://69.144.171.44/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://68.70.242.203/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.222.201.61/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.222.201.222/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.221.195.6/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.221.147.66/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.207.229.215/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://65.33.236.173/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://63.248.156.246/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://45.64.159.18/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://42.47.213.123/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://37.57.144.177/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://27.109.20.53/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://24.33.131.116/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://24.148.217.188/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://213.92.138.154/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://209.27.49.117/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://208.117.68.78/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://203.129.197.50/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://203.115.103.27/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://197.210.199.21/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://194.28.191.245/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://186.68.94.38/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://185.89.64.160/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://180.233.123.210/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://176.101.135.103/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://173.248.31.6/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://173.216.247.74/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://150.129.49.11/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://142.47.213.123/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://112.133.203.43/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://109.199.11.51/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://94.40.82.66/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://94.141.130.9/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://91.246.105.164/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://89.239.120.43/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://87.249.142.189/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://85.135.104.170/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://82.160.64.45/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://82.115.76.211/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://78.72.233.105/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://78.108.101.67/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://77.48.30.156/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://72.230.82.80/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://72.175.10.116/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://69.9.204.114/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://69.144.171.44/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://68.70.242.203/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.222.201.61/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.222.201.222/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.221.195.6/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.221.147.66/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://67.207.229.215/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://65.33.236.173/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://63.248.156.246/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://45.64.159.18/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://42.47.213.123/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://37.57.144.177/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://27.109.20.53/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://24.33.131.116/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://24.148.217.188/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://213.92.138.154/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://209.27.49.117/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://208.117.68.78/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://203.129.197.50/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://203.115.103.27/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://197.210.199.21/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://194.28.191.245/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://186.68.94.38/Ares13.zip] |
Upatre Downloading Dyre |
[hxxps://185.89.64.160/Ares13.zip] |
Upatre Downloading Dyre |
67.221.147.103:4443 |
Dyre C2 |
67.221.156.105:4443 |
Dyre C2 |
78.8.174.25:443 |
Dyre C2 |
195.154.106.76:443 |
Dyre C2 |
173.252.48.79:443 |
Dyre C2 |
212.182.101.2:4443 |
Dyre C2 |
78.8.9.55:443 |
Dyre C2 |
185.74.84.55:443 |
Dyre C2 |
91.232.45.149:443 |
Dyre C2 |
91.232.45.40:443 |
Dyre C2 |
67.221.156.165:443 |
Dyre C2 |
89.161.51.115:4443 |
Dyre C2 |
109.87.63.98:443 |
Dyre C2 |
114.30.73.130:443 |
Dyre C2 |
115.119.250.245:443 |
Dyre C2 |
173.252.50.124:4443 |
Dyre C2 |
181.174.91.90:443 |
Dyre C2 |
186.46.142.66:443 |
Dyre C2 |
188.255.154.180:4443 |
Dyre C2 |
195.191.34.245:443 |
Dyre C2 |
206.116.171.216:443 |
Dyre C2 |
206.123.60.93:4443 |
Dyre C2 |
212.109.179.197:443 |
Dyre C2 |
216.57.165.182:443 |
Dyre C2 |
67.221.146.67:4443 |
Dyre C2 |
67.221.146.107:4443 |
Dyre C2 |
67.221.156.216:4443 |
Dyre C2 |
69.27.57.164:4443 |
Dyre C2 |
83.241.176.230:4443 |
Dyre C2 |
89.140.63.207:443 |
Dyre C2 |
103.230.220.8:443 |
Dyre C2 |
109.86.226.85:443 |
Dyre C2 |
150.129.48.147:443 |
Dyre C2 |
150.129.49.139:443 |
Dyre C2 |
173.185.166.94:4443 |
Dyre C2 |
176.120.201.9:443 |
Dyre C2 |
181.112.153.202:443 |
Dyre C2 |
184.190.64.35:4443 |
Dyre C2 |
188.120.194.101:4443 |
Dyre C2 |
206.123.58.42:4443 |
Dyre C2 |
208.123.135.106:4443 |
Dyre C2 |
82.100.4.60:443 |
Dyre C2 |
150.129.49.162:443 |
Dyre C2 |
188.125.38.100:443 |
Dyre C2 |
213.92.204.37:443 |
Dyre C2 |
91.238.241.26:443 |
Dyre C2 |
84.54.191.170:443 |
Dyre C2 |
89.174.116.76:443 |
Dyre C2 |
195.117.104.102:443 |
Dyre C2 |
193.189.77.76:443 |
Dyre C2 |
91.239.244.187:443 |
Dyre C2 |
46.174.237.115:443 |
Dyre C2 |
73.38.228.117:4443 |
Dyre C2 |
206.222.25.58 |
Dyre C2 |
195.154.105.117:443 |
Dyre C2 |
217.12.202.99:443 |
Dyre C2 |
67.221.147.103:4443 |
Dyre C2 |
67.221.156.105:4443 |
Dyre C2 |
78.8.174.25:443 |
Dyre C2 |
195.154.106.76:443 |
Dyre C2 |
173.252.48.79:443 |
Dyre C2 |
212.182.101.2:4443 |
Dyre C2 |
78.8.9.55:443 |
Dyre C2 |
185.74.84.55:443 |
Dyre C2 |
91.232.45.149:443 |
Dyre C2 |
91.232.45.40:443 |
Dyre C2 |
67.221.156.165:443 |
Dyre C2 |
89.161.51.115:4443 |
Dyre C2 |
109.87.63.98:443 |
Dyre C2 |
114.30.73.130:443 |
Dyre C2 |
115.119.250.245:443 |
Dyre C2 |
173.252.50.124:4443 |
Dyre C2 |
181.174.91.90:443 |
Dyre C2 |
186.46.142.66:443 |
Dyre C2 |
188.255.154.180:4443 |
Dyre C2 |
195.191.34.245:443 |
Dyre C2 |
206.116.171.216:443 |
Dyre C2 |
206.123.60.93:4443 |
Dyre C2 |
212.109.179.197:443 |
Dyre C2 |
216.57.165.182:443 |
Dyre C2 |
67.221.146.67:4443 |
Dyre C2 |
67.221.146.107:4443 |
Dyre C2 |
References
[1] https://www.proofpoint.com/us/threat-insight/post/Its-Not-Personal-Its-Business
[2] www.threattracksecurity.com/it-blog/dyre-targets-more-websites/