Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware


The Dell Sonicwall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.E and Dyre.F actively spreading in the wild. This is the new Variant of Popular Dyre which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network which uses its own self-signed SSL certificate for C&C communications.

Dyre typically arrives via a spam attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. The spam emails are sent with Upatre attached and the cycle repeats.

Infection Cycle:

Md5: 9651d4ffb09a507bb17502228a8dc674 , 18cf4a3a89c07aa1fb7a8848e92259ad

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempforeveview.exe [Executable file]

  • %systemroot%wKehylcgruOagGy.exe [Executable file]

  • %Userprofile%Local SettingsTempQjGjK48.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate

    • C: HKLMSystemCurrentControlSetServicesgoogleupdateImagePath

    • %systemroot%wKehylcgruOagGy.exe

The Malware adds the following keys to modify security services on target machine:

The file wKehylcgruOagGy.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. Some requests (seems to be normal pdf file) retrieves an encrypted Dyre binary and it is decrypted by its own algorithm.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dyre.E ( Trojan )

  • GAV: Dyre.F ( Trojan )

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.