One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352314 |
| Date de publication | 2017-03-06 12:14:18 (vue: 2017-03-06 12:14:18) |
| Titre | Peering into Dyre\'s Traffic |
| Texte |  Written by: Sergei Shevchenko, Cyber researchDyre (also known as Dyreza) is a banking trojan that has got quite a bit attention over the last few months. Nevertheless, it's always interesting to re-visit a known threat to see what has changed.This post provides an insight into the traffic encryption used by Dyre and what additional components it relies on. The provided source code allows decryption of downloaded Dyre configurations and plugins from the known C&C hosts.But let's start from the dropper.The sample of Dyre (MD5:b7db8e9943ab39a60d8470fe2f859164) is delivered in form of a dropper that performs several stages of memory allocation and decryption operations until the actual payload code gets control.The dropper first allocates memory, decrypts a decoder in it, and then passes control to it. Once the decoder gets control, it will reconstruct a PE-file back at the original virtual address. The PE file is then restored section-by-section. Next, its import table is fully reconstructed. These steps are well outlined in this post.The restored PE file is a 2nd-stage dropper. It registers itself as a service "gupdate", and then injects a final payload DLL into the svchost.exe or explorer.exe process.This 2nd-stage dropper carries the following randomly-named resources: • uzgn23wmb - 256-byte key • twry615nl - 32-bit resource DLL • ysfh426g0 - 64-bit resource DLLDepending on whether the target is running a 32-bit or 64-bit system, it will either inject a 32-bit payload DLL, or a 64-bit one.The injection is achieved with the ZwQueueApcThread() API call. This injection method has already been used by Carberp, and its source code is available publicly.The injected DLLThe DLL injected by the 2nd stage dropper into svchost.exe or explorer.exe contains the following 5 randomly named resources: • 7GEYB8BZ3 (48 bytes) - XOR key for the following 2 resources: • 0KYOX5YCG (4,900 bytes) - VNC server module (has a debug string 'F:\cppgit\mose\Release\vnchelper.pdb' in it) • 5DQRM0TQI (53,224 bytes) - keylogger plugin • 8HRUV7NZJ (160 bytes) - 384-bit elliptic curve DSA public key, used to check the validity of digital signatures • 9JTIC6HXH (1,184 bytes) - encrypted & signed configuration file with the list of C&C hostsThe most important resource is the encrypted configuration file. The encryption algorithm used to protect this file is based on standard AES 256-bit |
| Envoyé | Oui |
| Condensat | &ctx host names ↵00000400 srv • 5dqrm0tqi • calls • loads 11 padded bytes ↵in ↵00000460 *data *hash /example /next /the 00000050 00000060 00000090 0807uk00000010 0x10 0x20 0x30 0x40 0x60 bytes 0x80 1023 105 108 10ghzprocessors: 111 117:443 117:443 werserv 217 129 140 143:9900 • 193 154 155:9900after 160 165 184 185:9900 • 62 190 194 1memory: 1qazxsw2 2010 2013 202 210 212 223 223:9900 • 46 224 239 243:9900 • 62 245 253/redirect 256 2nd 32bit/1139/ 3770s 384 3f30949ad42522b2140387ebd65001cf/0/win 3f30949ad42522b2140387ebd65001cf/5/spk/ 3f30949ad42522b2140387ebd65001cf/63/generalinfo/ 4>1` 690375content 69:9900 • 46 8hruv7nzj 900 9600000020 99:443 cashproonline : • :4443 ;aes256 ;build ;for ;sha256 ;unsigned ==programs== ==services== ==users==administratorguest above access • achieved activated active actual add adding additional address administrator aes after algorithm algorithms aliases alivethe all allocates allocation allowing allows along already also always another answer any api appended apply arbitrary are armed attached attackers attackers:010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748void attention autokillos available back backconnect banking bankofamerica based bccfg bcrypt bcrypthashdata bcryptimportkeypair bcryptverifysignature because been before behind below below: 00000401 below:/0807uk77/test below:the best between bit blob block body boot bot boundary=feglifmpqmhvejxbound browser browsers btid btnt build but by: byte byte/256 byte/384 bytes c&c calculate calculated call call • hashes called calls/declarations campaign cannot capabilities capable carberp carries ccsr changed char characteristics:content check clear clients • code collects com srv com/* alpwymwnetpcbilokvkkvo12081 com/*/cpo*public* cashproonline command commands communication communications complex components computer configuration configurations connect contacting contain contains content context control controls core cppgit cpu created ctx;aes256 curve cyber data data ↓ 08 data/cache data; dataipcthe debug decide decoder decrypt decrypted decrypting decryption decrypts delete delivered depending derived described designed digest digital dll dll • ysfh426g0 dlldepending dllthe does down downloaded dpsr drivers drives dropper dsa due during dyre dyreza earlier ecb ecckey eccpublicblob ecdsa ecs1 ecs3 either elliptic email enable enables/facilitates encrypted encryption enters entire establishes example exe exe/explorer executing explained explorer far fetch fetched fetches file files final first followed following following: • loads form format:/ found from fully function functionality further future g2fabg5713 generalinfo get gets got grabber/password group gupdate harvester has hash hashing having header hence high hijacked hooking host hosts hoststhe however httprex https i++ iexplore illustrate illustrate |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.