Banking Trojan Lurks Inside Innocent Fax Messages, Bitdefender Warns
Threat uses server-side polymorphism technique to bypass antivirus software.
A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, Bitdefender malware analysts warn.
Interestingly enough, each downloaded archive is named differently to bypass antivirus software. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new.
The archive content looks like regular PDF files. They are in fact executable files with a PDF icon. They act as downloaders that fetch and execute the Dyreza banker Trojan, also known as Dyre.
Dyre Malware Analysis
Despite facing a threat known to resist reverse-engineering techniques, Bitdefender malware researchers have managed to analyze it and uncover the list of targeted websites. Customers of reputable financial and banking institutions from the US, UK, Ireland, Germany, Australia, Romania, and Italy have been targeted.
However, despite the relative sophistication of the attack, it still relies on the user’s curiosity to look into the archive and manually run its contents. A bit of caution can reduce the chances of infection. Here’s what several malicious links look like:
According to Bitdefender Labs, 30,000 malicious emails were sent in one day from spam servers in the US, Russia, Turkey, France, Canada, and the UK. Curiously, the campaign’s name – 2201us – seems to indicate the attack date (22nd January) and the targeted country (US), Bitdefender malware researchers found.
Bitdefender detects and blocks all elements of the threat: the .js file, the downloader, and the executable. The Trojan is detected as Gen:Trojan.Heur.AuW@Izubv1ni. Bitdefender reminds users to avoid clicking links in emails from unknown email addresses and, of course, to keep their anti-malware solution up-to-date with the latest virus definitions.