1. Home
  2. Software
  3. Dyre

Dyre

Dyre is a banking Trojan that has been used for financial gain. [1][2]

ID: S0024
Associated Software: Dyzap, Dyreza
Type: MALWARE
Platforms: Windows
Contributors: Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Version: 1.2
Created: 31 May 2017
Last Modified: 22 June 2020

Associated Software Descriptions

Name Description
Dyzap

[3]
Dyreza

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Dyre registers itself as a service by adding several Registry keys.[1]
Enterprise T1140 反混淆/解码文件或信息

Dyre decrypts resources needed for targeting the victim.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Dyre uses HTTPS for C2 communications.[1][2]

Enterprise T1074 .001 数据分段: Local Data Staging

Dyre has the ability to create files in a TEMP folder to act as a database to store information.[2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Dyre has been delivered with encrypted resources and must be unpacked for execution.[2]
Enterprise T1082 系统信息发现

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[2]
Enterprise T1033 系统所有者/用户发现

Dyre has the ability to identify the users on a compromised host.[2]
Enterprise T1007 系统服务发现

Dyre has the ability to identify running services on a compromised host.[2]
Enterprise T1016 系统网络配置发现

Dyre has the ability to identify network settings on a compromised host.[2]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[1][2]
Enterprise T1518 软件发现

Dyre has the ability to identify installed programs on a compromised host.[2]
Enterprise T1105 输入工具传输

Dyre has a command to download and executes additional files.[1]
Enterprise T1055 进程注入

Dyre has the ability to directly inject its code into the web browser process.[2]
.001 Dynamic-link Library Injection

Dyre injects into other processes to load modules.[1]
Enterprise T1041 通过C2信道渗出

Dyre has the ability to send information staged on a compromised host externally to C2.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.[2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[4][5][6]

References

  1. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  2. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  3. Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.
  1. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
  2. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
  3. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.