New Dyre variant outsmarts AV researchers’ sandboxes
“Since it was first spotted in June 2014, the Dyre/Dyreza banking Trojan has become extremely popular with cyber crooks, and especially those that target businesses.
The malware owes its success to several capabilities: it bypasses most AV solutions, it allows attackers to control browser traffic and perform Man-in-the-Middle attacks, as well as circumvent 2-factor authentication. Paired with tried and true delivery methods such as social engineering and macro-based droppers, it’s easy to see why Dyre is so well liked by criminals.
Now Seculert researchers have discovered new changes that make Dyre more difficult to detect and analyze.
“This version of the Dyre malware is able to evade analysis by sandboxing solutions by checking how many processor cores the machine has. If the machine has only one core it immediately terminates,” noted Seculert CTO Aviv Raff.
“As many sandboxes are configured with only one processor with one core as a way to save resources, the check performed by Dyre is a good and effective way to avoid being analyzed. On the other hand, most of the machines (PCs) in use today have more than one core.”
This change allows the malware to bypass a number of non-commercial, publicly available sandboxes, as well as four commercial ones. The developers have been promptly notified of this fact.
“This was not the only change made to the Dyre malware in order to help it avoid detection. While the communication path Dyre followed might have stayed the same, it did switch user agents,” he added. “Changing user agents is a known technique in order to avoid detection by signature-based systems. Additionally, some minor changes were made to the way the malware behaves in the system also as a means to avoid signature-based detection products.”
This last trick has also been recently incorporated (along with other clever modifications) by the developers of the Upatre downloader, a piece of malware that is often used to deliver the Dyre banking Trojan.”