The Dyre/Dyreza banking Trojan has lately become very popular with cyber criminals – so much so that the US-CERT has issued an alert warning about the danger.
“Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s),” they shared.
“Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.”
Dyre/Dyreza is after sensitive user account credentials for online services, including bank services, which it logs and sends to remote servers run by the criminals.
In another campaign spotted by Danish security firm CSIS, the malicious emails are very similar (fake unpaid invoices, bank details), but the attachment is a specially crafted PPT file made to exploit the Sandworm vulnerability (CVE-2014-4114) in order to install the malware.
While initial versions of the malware were targeting users of several US and UK banks, this latest one is also aimed at Swiss bank customers (as evidenced by the content of its configuration file):
Adobe has patched the vulnerabilities exploited in the aforementioned attack years ago, and Microsoft issued a patch for the Sandworm bug earlier this month.
Users who regularly patch their OS and software were, in this case, safe from danger. They usually are, because cyber crooks that are after banking information and online credential almost exclusively use exploits for already patched vulnerabilities.
Not opening Microsoft PowerPoint files, other Office files, or any other files received or downloaded from untrusted sources is also a good way to steer clear of malware.