The US Computer Emergency Readiness Team (CERT) has issued a warning on Monday about a malicious email campaign delivering the Dyre banking Trojan, aka Dyreza. The malicious messages were detected in the middle of the month, and there is no particular demographic targeted by the cybercriminals.
The New Dyre Attack Exploits Vulnerability in Adobe Reader
Several variants of the attack have been distinguished so far. They vary in the theme of the email, the sender address and the used exploits. Still, they all have the same goal – to lure the user into opening the corrupted attached file that claims to be an invoice in the form of a PDF file. The malicious attachment, Invoice621785.pdf, contains exploits for vulnerabilities in Adobe Reader. This makes computer users with older and unpatched versions of the reader the perfect target.
CVE-2013-2729 is one of the vulnerabilities that allows execution of arbitrary code in Adobe Acrobat and Reader versions earlier than 9.5.5, 10.1.7, 11.0.03.
The first time the Dyre banking Trojan was spotted was in January this year and has been associated with numerous malicious campaigns since. One of the popular ones is the attack against Salesforce clients in September.
Dyre Testing Period in the Summer
The main purpose of the Dyre Trojan is to collect banking log-in details and send them to the operator. Reportedly, it was adapted to steal also other types of credentials lately. The Dyre banking In a recent attack the Trojan has included Bitcoin websites on his target-list in the configuration file.
Campaigns, delivering the Dyre Trojan have been active all summer. The piece was included in phishing emails, claiming to be sent by JP Morgan financial institution. Another phishing email purported to be a notification for a voice message.
Experts reveal that the Trojan has been improved recently and is currently using its own SSL certificate that provides it with secure communication with the C&C server and hide malicious traffic.
Users are advised to be extra careful when they receive unsolicited emails and be attentive to spelling and grammar mistakes in the messages. Specialists point out that the presence of Google Update Service might be an indication of infection.