Tuesday, November 5, 2024
If you support the work of Guyana Graphic click here to : DONATE
HomeUncategorizedPhishing Campaign Linked with “Dyre” Banking Malware - US-CERT Alert (TA14-300A)

Phishing Campaign Linked with “Dyre” Banking Malware – US-CERT Alert (TA14-300A)

United States Computer Emergency Readiness Team (US-CERT) has issued Alert TA14-300A – Phishing Campaign Linked with “Dyre” Banking Malware

Systems Affected: Microsoft Windows

United States Computer Emergency Readiness Team (US-CERT) has issued Alert TA14-300A – Phishing Campaign Linked with “Dyre” Banking Malware

Systems Affected: Microsoft Windows

Overview
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description
The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:

  • Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
  • Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):

  • Copies itself under C:\Windows\[RandomName].exe
  • Created a Service named "Google Update Service" by setting the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"

Impact
A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.

Solution
Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov.

References

Revisions
October 27, 2014: Initial Release

Link to Article

Related Articles

Cheddi Jagan International Airport

Contact Information for Cheddi Jagan International Airport

Address: Timehri, Guyana

Call: +592 261 2281

Call: +592 699 9074

Call: +592 600 7022

Email: cjiac@cjairport-gy.com https://cjairport-gy.com/contact-us/

Most Popular

Recent Comments

Debra K. Lawrence on Hotels you’ll never forget
Leith Yearwood on Snake Cut
Georgina Lambert-Calvert on What has happened to some of our young folks
Caribbean C Live on John Gimlette’s Voyages
Rev. Adunnola Waterman-French on GAC 2012 Reunion – A perfect Take-off
Georgina Lambert-Calvert on Guyana Emancipation (Freedom) Day History
Althea Garraway on Tapir
Open chat
Hello
Can we help you?