S0024 Dyre
Dyre is a banking Trojan that has been used for financial gain. 12
| Item | Value |
|---|---|
| ID | S0024 |
| Associated Names | Dyzap, Dyreza |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 22 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Dyzap | 3 |
| Dyreza | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Dyre uses HTTPS for C2 communications.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Dyre registers itself as a service by adding several Registry keys.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Dyre has the ability to create files in a TEMP folder to act as a database to store information.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Dyre decrypts resources needed for targeting the victim.12 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Dyre has the ability to send information staged on a compromised host externally to C2.2 |
| enterprise | T1105 | Ingress Tool Transfer | Dyre has a command to download and executes additional files.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Dyre has been delivered with encrypted resources and must be unpacked for execution.2 |
| enterprise | T1055 | Process Injection | Dyre has the ability to directly inject its code into the web browser process.2 |
| enterprise | T1055.001 | Dynamic-link Library Injection | Dyre injects into other processes to load modules.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.2 |
| enterprise | T1518 | Software Discovery | Dyre has the ability to identify installed programs on a compromised host.2 |
| enterprise | T1082 | System Information Discovery | Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.2 |
| enterprise | T1016 | System Network Configuration Discovery | Dyre has the ability to identify network settings on a compromised host.2 |
| enterprise | T1033 | System Owner/User Discovery | Dyre has the ability to identify the users on a compromised host.2 |
| enterprise | T1007 | System Service Discovery | Dyre has the ability to identify running services on a compromised host.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Dyre can detect sandbox analysis environments by inspecting the process list and Registry.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | 456 |
References
-
Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. ↩↩↩↩↩↩↩
-
hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020. ↩↩
-
Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020. ↩
-
Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020. ↩
-
Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020. ↩