Dyre.L a malware tries to register itself as Google Update Service to avoid detection.
The Dell SonicWall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.L actively spreading in the wild. We recently released GAV: Dyre.E which is uses I2P (Invisible Internet Project) for C&C communications and also uses self-signed SSL certificate for C&C communications. The new version of Dyre tries to register itself as Google Update Service to avoid detection by Systems administrators.
Infection Cycle:
Md5: 3497d8bcdc25950d63b6add8f8e5f40a
The Malware uses the following icons:
The Malware adds the following files to the system:
-
C:WINDOWStSfxwnnGqbYvrba.exe [Random Service Name ]
-
%systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll [ Data Log ]
The Malware adds the following keys to the Windows registry [As a Service] to ensure persistence upon reboot:
The file tSfxwnnGqbYvrba.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.
Dyre tries to enumerate files on the target system, after Malware retrieve list for exe files it saves on % systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll file and start to encrypt it with its own format, here is an example:
Here is decrypted information grabbed by malware:
Command and Control (C&C) Traffic
Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. The Malware uses self- signed SSL certificate for C&C communications.
The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Dyre.L ( Trojan )
