The legacy of Sandworm continues: The latest variant of the Dyreza/Dyre banking trojan malware is mounting a fresh offensive on the financial sector, with a focus on several banks in Switzerland and the recently uncovered Windows OLE remote code execution vulnerability.
According to a CSIS analysis, the new targets in Dyreza’s configuration file are being hit with spam emails to victims purporting to be invoices or account notices from banks. They have a PowerPoint attachment that exploits CVE-2014-4114—the same vector that was first seen abused in Sandworm advanced persistent threat (APT) attacks against targets in Poland and the Ukraine.
If the software is not updated, arbitrary code is executed and Dyreza is then downloaded to the host and run. It specifically targets sensitive user account credentials, capturing user login information and sending it back to malicious actors.
Dyreza installs itself as a Google Update service, and thus executed each time the system is rebooted. CSIS noted that on Microsoft Windows 7, it injects itself into explorer.exe process and hooks the browser. A slightly different approach is used on older Windows versions, on which it injects into the svchost.exe process instead.
Most of the command and control servers being used are hosted at OVH in France, CSIS said.
Proofpoint noted last month that Dyreza is increasingly popular for cyber-crooks in the wake of the Gameover Zeus takedown. And earlier in October, US-CERT issued a warning for the bug. The new wrinkle here, besides the target area being widened to Switzerland, is the use of the OLE exploit.
It was discovered by iSight at the beginning of September in spear-phishing attacks from a Russian hacking collective known as Sandworm, using a weaponized PowerPoint attachment. The flaw allows an attacker to remotely execute arbitrary code if they can convince a victim to open a specially crafted file via social engineering techniques.