Dyre Wolf: House Stark Comes to Information Security

Okay, so maybe not exactly, but the recent information security reports of Dyre Wolf bring to mind the family crest from Game of Thrones, as well as their family motto, “Winter is Coming.” In a recent report by IBM Managed Security Services, the malware known as Dyre or Dyreza, a trojan that targets corporate banking assets, is showing to be making a comeback.

Dyre/Dyreza, which apparently gets it’s name from a string in it’s code containing the phrase “I am Dyreza,” is part of a new malware campaign that is not only combining malware and exploit kits, but also advanced social engineering targeting employees with access to a company’s financial and corporate banking credentials. Given the multi-faceted approach this attack is taking to obtain businesses’ assets, it seems only fitting to compare it to the political intrigue that fills George R.R. Martin’s drama.

This campaign is actually fascinating to read about, as it is methodical and efficient in it’s quest for money. Just the malware alone has an impressive to-do list to accomplish. It needs to:

1. Infect a system. This is accomplished via spear-phishing emails containing the Upatre malware.
2. Confirm Network connectivity. Upatre, once executed, will attempt to discover the hosts public IP, NAT, and proxy settings.
3. Download Dyre, from a constantly changing list of domains and filenames.
4. Cover it’s tracks. Upatre after downloading and executing Dyre, will rename the files and clean-up evidence of the initial infection.
5. Keep itself around. Dyre creates an automatic service called ‘Google Update service’ and infects the svchost.exe process.
6. Surf the darknet. Using the Invisible Internet Project (I2P), it creates a peer tunnel network with its command and control servers.
7. Set the traps. Dyre ties itself into the host’s internet browsers to try and intercept credentials from targeted bank sites.
8. Spread the love. If possible, Dyre will attempt to spread using the host’s contact list with a payload attached.

Winter is coming indeed, and that’s just the software side. In addition to the browser and server injections that can lift credentials, Dyre Wolf also has an elaborate social engineering side, to further assist in gaining access. The software is set to generate an error when targeted sites are accessed, which direct the user to call a phone number manned by Dyre Wolf operators. This person is professional sounding, and speaks with an American accent, and after establishing a rapport with the caller, will ask for credentials, two-step authentication tokens, and even additional callers as needed to obtain access to the account. Once received, the caller will be asked to wait for verification or before attempting access again, while the attackers are accessing the account and transferring funds. And finally, Dyre Wolf mounts a DDoS attack against the caller after the transfer, to not only distract from the theft that took place, but prevent access to the bank’s site and possible cause further damage from stopped business.

What does this teach us? First, it’s dangerous beyond the Wall. But seriously, there are some steps that are good practice and will help with this particular attack.

1. Remove executables from email attachments. Do not just scan, but remove any .exe, .com or .scr files when possible, at the server level.
2. Don’t hide file extensions in Windows. By enabling this feature, it can help with identifying suspicious files. A file with a picture of a PDF but an .exe extension may give someone pause before opening or running a file.
3. Keep your Antivirus up-to-date. Threats on the internet are constantly changing, but having the latest definitions and packages for your software will help in detecting threats. Out-of-date protection will help no one. Also, if possible, use different solutions at different points of your network. Some products will find threats that other solutions miss.
4. Reboot! An age-old Windows adage for sure, but in this instance, Dyre’s software is injected into running memory, so this and similar infections can be interrupted or delayed by clearing it from memory.
5. Use two-factor when possible. The more pieces to a puzzle an attacker needs, the more chances they can be stopped or discovered before getting the keys to the castle.
6. Monitor your network traffic. Difficult to do from a user perspective, but with good network visibility, you can watch for indicators of compromise to alert you to an ongoing attack. Dyre Wolf uses several specific steps that could indicate an infection, via DNS requests or specific web requests.
7. Teach your end-users! All the security precaution in the world doesn’t help if users continue to open unknown attachments and give passwords over the phone. Work with them to develop good habits (or at least stop bad ones) and incentivize or reward good behavior. Make them aware of current/popular threats to look out for.

That being said, much as the balance of power is constantly shifting in Westeros, the threat landscape is always changing. So, take care out there and remember, winter is coming.