{"id":134,"date":"2014-10-28T09:53:06","date_gmt":"2014-10-28T09:53:06","guid":{"rendered":"http:\/\/test.blueshell.im\/Blog\/?p=134"},"modified":"2020-08-16T08:46:46","modified_gmt":"2020-08-16T08:46:46","slug":"us-cert-alert-ta14-300a-phishing-campaign-linked-with-dyre-banking-malware","status":"publish","type":"post","link":"http:\/\/www.blueshell.im\/Blog\/?p=134","title":{"rendered":"US-CERT Alert TA14-300A: Phishing Campaign Linked with \u201cDyre\u201d Banking Malware"},"content":{"rendered":"<h3>Systems Affected<\/h3>\n<p>Microsoft Windows<\/p>\n<h3>Overview<\/h3>\n<p>Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre\/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-2729\">[1]<\/a><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-0188\">[2]<\/a> Although this campaign uses various tactics, the actor\u2019s intent is to entice recipients into opening attachments and downloading malware.<\/p>\n<h3>Description<\/h3>\n<p>The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.<a href=\"http:\/\/www.pcworld.com\/article\/2364360\/new-powerful-banking-malware-called-dyreza-emerges.html\">[3]<\/a> Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.<a href=\"http:\/\/www.adobe.com\/support\/security\/bulletins\/apsb13-15.html\">[4]<\/a><a href=\"http:\/\/www.adobe.com\/support\/security\/bulletins\/apsb10-07.html\">[5]<\/a> After successful exploitation, a user&#8217;s system will download Dyre banking malware. All of the major&nbsp;anti-virus vendors have successfully detected this malware prior to the release of this alert.<a href=\"https:\/\/www.virustotal.com\/en\/file\/6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135\/analysis\/\">[6]<\/a><\/p>\n<p>Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.<\/p>\n<p><strong><span style=\"text-decoration: underline;\">Phishing Email Characteristics:<\/span><\/strong><\/p>\n<ul>\n<li>Subject: &#8220;Unpaid invoic&#8221; (<strong>Spelling errors in the subject line are a characteristic of this campaign<\/strong>)<\/li>\n<li>Attachment: Invoice621785.pdf<\/li>\n<\/ul>\n<p><strong><span style=\"text-decoration: underline;\">System Level Indicators (upon successful exploitation):<\/span><\/strong><\/p>\n<ul>\n<li>Copies itself under C:\\Windows\\[RandomName].exe<\/li>\n<li>Created a Service named &#8220;Google Update Service&#8221; by setting the following registry keys:\n<ul>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\googleupdate\\ImagePath: &#8220;C:\\WINDOWS\\pfdOSwYjERDHrdV.exe&#8221;<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\googleupdate\\DisplayName: &#8220;Google Update Service&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Impact<\/h3>\n<p>A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.<\/p>\n<h3>Solution<\/h3>\n<p>Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:<\/p>\n<ul>\n<li>Do not follow unsolicited web links in email. Refer to the <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/st04-014\">Security Tip Avoiding Social Engineering and Phishing Attacks<\/a> <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/st04-014\">[7]<\/a> for more information on social engineering attacks.<\/li>\n<li>Use caution when opening email attachments. For information on safely handling email attachments, see <a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/emailscams_0905.pdf\">Recognizing and Avoiding Email Scams<\/a>.<a href=\"https:\/\/www.uscert.gov\/sites\/default\/files\/publications\/emailscams_0905.pdf\">[8]<\/a><\/li>\n<li>Follow safe practices when browsing the web. See <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/ST04-003\">Good Security Habits<\/a> <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/ST04-003\">[9]<\/a>and <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/ST06-008\">Safeguarding Your Data<\/a> <a href=\"https:\/\/www.us-cert.gov\/ncas\/tips\/ST06-008\">[10] <\/a>for additional details.<\/li>\n<li>Maintain up-to-date anti-virus software.<\/li>\n<li>Keep your operating system and software up-to-date with the latest patches.<\/li>\n<\/ul>\n<p>US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Systems Affected Microsoft Windows Overview Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre\/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and &hellip; <a href=\"http:\/\/www.blueshell.im\/Blog\/?p=134\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":104,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/134"}],"collection":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=134"}],"version-history":[{"count":2,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":530,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/134\/revisions\/530"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/media\/104"}],"wp:attachment":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}