DYRE STRAITSPONDURANCE 1

DYRE STRAITS

AGENDA

• Incident Notification• Threat Research• Incident Scoping – Option A• Incident Scoping – Option B• Incident Scoping – Option C• Exploring the Kill Chain• Dyre Evolution

DYRE STRAITS

NOTIFICATION OF THE INCIDENT

<- Public IP

DYRE STRAITS

DYRE STRAITS

HOW IT WORKS

• The Dyre trojan will initially attempt to contact its C2 servers using an encrypted SSL connection. If this connection fails, it will attempt to establish a connection using addresses generated using a domain generation algorithm (DGA) or hardcoded Invisible Internet Project (I2P) addresses.

• When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file.

• The MITM proxy server forwards requests to the banks and disguises itself as the real user.• The returning response from the bank is intercepted by the proxy server.• Instead of the real response, the user receives a fake login page which is stored on the proxy server, and

contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank.

• The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf.

• After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more.

DYRE STRAITS

DYRE STRAITS

SAMPLES FROM THE WILD

Below is a list of subject lines observed in 2015 Dyre phishing campaigns:

• “Wire transfer receive”• “Medicines here”• “Complaint against your company”• “Payment Advice - advice Ref:[xxxxxx]/CHAPS credits”• “Company repor”   - (note the missing t in “report")• “Wire transfer complete”• “Important – New Outlook Settings”• “Your Documen” - (note the missing t in “Document")• “Voice Message”• “Employee Documents – Internal Use”• “Fwd Wire Payment”

*Personally witnessed those in bold

DYRE STRAITS

DYRE STRAITS

SAMPLES FROM THE WILD (CONT.)

Payload downloads:

• hxxp://aaepablog\.com/aaepa/inst_s12.pdf (IP: 50.87.144\.171)• hxxp://acmeeconnect\.com/dropbox/ml1from2.tar (IP: 107.190.133\.12)• hxxp://aixact\.com/Docs/ml1from2.tar (IP: 213.186.33\.19)• hxxp://allcommerc\.com/wp-includes/pomo/eulaa.pdf (IP: 62.149.144\.49)• hxxp://www.onoranzefunebricarrara.it/public/eulaa.pdf (IP: 62.149\.128\.151, 62.149.131\.204)• hxxp://angkosoteknologi\.co.id/fonts/manualac.pdf (IP: 23.92.215\.218)• hxxp://cgksolutions\.com/files/manualac.pdf (IP: 62.149.128\.166, 62.149.140\.202)• hxxp://creazionidarte\.it/mandoc/seo21.pdf (IP: 62.149.128\.74, 62.149.131\.67)• hxxp://cwvancouver\.com/cp/images/digits/arrowu.jpg (IP: 71.18.62\.202)• hxxp://dipford\.com/mandoc/info22.pdf (IP: 209.235.144\.9)• hxxp://dms-online-files\.com/pdfs/prewa.pdf (IP: 206.188.192\.13)• hxxp://ettfire\.com/js/ml2from2.tar (IP: 66.175.58\.9)• hxxp://gumtek\.com/wp-includes/pomo/sw_docb.pdf (IP: 50.87.148\.213)• hxxp://harveyouellet\.com/TOXICOUSTIQUE/arrowu.jpg (IP: 192.185.35\.92)• hxxp://houndsofcullen\.com/mandoc/eula022.pdf (IP: 198.136.54\.104)• hxxp://manualtatex\.com/mandoc/eula022.pdf (IP: 69.49.115\.33)• hxxp://marodz.republika\.pl/1/manualec.pdf (IP: 213.180.150\.17)• hxxp://metflex.uk\.com/images/t_image.jpg (IP: 91.103.217\.10)• hxxp://tickto\.com/apk/ml1from2.tar (IP: 50.23.103\.91)• hxxp://posharpstore\.com/Google/ml1from2.tar (IP: 162.254.162\.184)• hxxp://utokatalin\.ro/administrator/ml2from2.tar (IP: 86.106.30\.102)• hxxp://vimax-marireapenisului\.ro/docuv.pdf (IP: 195.78.124\.14)• hxxp://rx-liquid\.ro/docuv.pdf (IP: 195.78.124\.14)• hxxp://washcount\.org/Documentation/file_u21.pdf (IP: 216.224.135\.21)• hxxp://www.geothermole\.com/mandoc/gb_eule.pdf (IP: 81.21.76\.62)• hxxp://www.wholesalesyntheticmotoroil\.com/mandoc/story_su21.pdf (IP: 192.163.217\.66)• hxxp://zac-buero\.de/mandoc/ml1from1.tar (IP: 78.143.39\.41)• hxxp://best-synthetic-motor-oil\.com/file_k12.pdf (IP: 192.163.217\.66) 

DYRE STRAITS

SAMPLES FROM THE WILD (CONT.)

Command and control resiliency • Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate

with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P

Domain generation algorithm• Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is

seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014:

y3aaa48a7056d7075c3760cdbd90a75b8f.ccz376dfe4955a257a78944864dd0158d172.wsa8377c5a7c390331b15c1df94fa745e38a.toba3be71036fc2c06d603a2b17d41ffe71a.inc9cca04cec2588918820cf33ba4337cca8.hkdec4f75e53d7202136164e2b26456dabdf.cne3d68349d47efa0d5a9a92b1239bc4d48c.tkf85db5ce8675f53b61f00ca0e822a33312.so

DYRE STRAITS

SAMPLES FROM THE WILD (CONT.)

System Level Indicators (If successful in exploitation):

• Copies itself under C:\Windows\[RandomName].exe• Created a Service named ""Google Update Service”

by setting the following registry keys:• HKLM\SYSTEM\CurrentControlSet\Services\

googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"

• HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service" 

DYRE STRAITS

WHILE WE WERE INVESTIGATING THE PHISHING INCIDENT…

• Same company requested a separate incident response engagement related to internal threat

• Claimed a user had stolen hundreds of thousands of dollars from a corporate bank account

• Claimed the user colluded with a coworker to gain privileged rights to their banking portal to initiate a wire transfer

• Right away it was blatantly obvious Dyre had done its job, but I suppose it wasn’t so obvious to the customer

• We were able to clear the user of any wrong doing after confirming presence of the malware on the user systems

• Proved to their insurance provider they met their “due diligence” requirements and were reimbursed for the loss

• Placed even more pressure on our team to fix this issue QUICKLY

DYRE STRAITS

SCOPING THE INCIDENT – OPTION AREACTIVE

1. Locate hosts associated with users that Salesforce identified as compromised in initial alert

2. Acquire Memory3. Pull from network4. Perform filesystem forensics to determine timestamp of

compromise and recover malware (Dyre and Cutwail)5. Perform email forensics to recover phishing email6. Perform forensics on browsing history to determine if any

online web portals were accessed since that time7. Change credentials to those web portals that were accessed,

all credentials resident on the system, and to the user’s email

8. Reimage affected system to eliminate all threats

DYRE STRAITS

SCOPING THE INCIDENT – OPTION AREACTIVE

We’re not done yet…using threat intel from initial findings:8. Search email logs to find phishing emails sent to other users9. Search DNS logs to find systems requesting the known

malicious domains10. Search firewall logs for known malicious IPs11. Submit malware samples (don’t forget Cutwail) to AV Vendor for signature creation12. If another affected system is found, repeat steps 2-8 from last slide13. Repeat

DYRE STRAITS

SCOPING THE INCIDENT – OPTION BPROACTIVE

Install NSM Sensor and look at it

DYRE STRAITS

SCOPING THE INCIDENT – OPTION BPROACTIVE

1. Pull from network2. Perform filesystem forensics to determine timestamp of

compromise and recover malware (Dyre and Cutwail)3. Perform email forensics to recover phishing email4. Perform forensics on browsing history to determine if any

online web portals were accessed since that time5. Change credentials to those web portals that were

accessed, all credentials resident on the system, and to the user’s email

6. Reimage affected system to eliminate all threats7. Submit malware samples (don’t forget Cutwail) to AV

Vendor for signature creation

DYRE STRAITS

SCOPING THE INCIDENT – OPTION C PROACTIVE ADVANCED

1. Let Live Response forensically analyze affected systems (we’ll have this done before you can even locate the system)

2. Pull from network 3. Change credentials to those web portals that

were accessed, all credentials resident on the system, and to the user’s email

4. Reimage affected system to eliminate all threats5. Submit malware samples (don’t forget Cutwail)

to AV Vendor for signature creation

DYRE STRAITS

EXPLORING THE KILL CHAIN

1. Email Delivered2. Attachment Opened3. Exploit Launched4. Trojan Dropper Installed 5. Trojan Dropper Beacons6. Payload Delivered7. Payload Installed 8. Command and Control Established9. Credentials Captured 10. Bank Portal Accessed

DYRE STRAITS

EMAIL DELIVERY

Email Filter such as IronPort1. Block certain attachment types such

as .scr, .exe, .zip, .rar2. File inspection3. Source Reputation filters

DYRE STRAITS

ATTACHMENT OPENED

Attacker uses social engineering 1. Awareness Training is key2. Red Team Exercises3. If incident is underway, alert users via

announcements of known subject lines and senders, etc

DYRE STRAITS

EXPLOIT LAUNCHED

In the case we investigated the phishing emails were using a flash exploit that leveraged CVE-2013-2729 (March 2013!!1!)• Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5,

10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727

DYRE STRAITS

TROJAN DROPPER INSTALLATION

• AV Client• Whitelisting• HIPS

DYRE STRAITS

TROJAN DROPPER BEACON

• NIPS (must have active blocking signature)• Sinkhole domains in DNS Server• On the fly executable analyzer

DYRE STRAITS

PAYLOAD INSTALLED

• AV Client• Whitelisting• HIPS

DYRE STRAITS

COMMAND AND CONTROL/CREDENTIALS CAPTURED

• NIPS (must have active blocking signature)• Sinkhole domains in DNS Server

DYRE STRAITS

ACCESS TO BANK PORTAL

• Restrict access to only those who need it• Two Factor Authentication• Regularly Change Credentials• Only access portals from specific systems…a VM

perhaps with a clean snapshot?

DYRE STRAITS

EVOLUTION OF DYRE

DYRE STRAITS

JUST THIS MONTH…

• Latest version of Dyre includes sandbox evading capabilities, making analysis much more difficult

• Able to determine number of hardware processors to identify whether or not it is launched in a virtual environment, also looks for network services such as DNS

DYRE STRAITS

PARTING THOUGHTS

• Patch your third party applications• Keep AV up to date• Use NSM to catch successful attacks in real time

when prevention fails• Conduct regular awareness training so users

aren’t so quick to click• Set up a process for users to forward suspicious

emails to security team for analysis

DYRE STRAITS

ANY QUESTIONS?

John HendersonSr. Security Analyst john.henderson@pondurance.comPondurance

DYRE STRAITS

SOURCES

• malware-traffic-analysis.net• Secure Works• F5• US-CERT• Emerging Threats

DYRE STRAITS

John HendersonSr. Security Analyst

QUESTIONS?

DYRE STRAITS