Dyre is a banking malware discovered in middle of 2014. It can intercept HTTPS traffic, using techniques documented in this Introduction to Dyreza.

In the context of our review of malware faced by customers, we need to rapidly respond and assess the risk. Dyre is malware found in such context, and we are releasing a Volatility plugin that we are using internally to dump configuration in memory for Dyre (Dyreza) samples.

dyrescan


By using this plugin, a security analyst can extract and report on the financial institutions targeted by the Dyre sample. See an example below of the targeted URL in the configuration file. We are running against a memory dump of a Dyre sample (MD5: ed74d93a7507471879385205fe92dd3c).

# vol.py --plugins=vol_plugins -f memory.dmp dyrescan
Volatility Foundation Volatility Framework 2.4
YARA rule: {'dyre_conf': 'rule dyre_conf {strings: $a = /<serverlist>/ condition: $a}'}
YARA offset: 0
Configuration size: 190000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (736)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (736)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (884)
[...]
banking.oyakankerbank.de/*
banking.steylerbank.de/*
banking.triodos.co.uk/*
banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550*
banking.triodos.co.uk/ib-seam/login.seam?loginType=username*
banking.valovisbank.de/*
banking.valovisbank.de/portal/*
bbonline.banksa.com.au/*
bbonline.banksa.com.au/html/cbank.asp*
bbonline.stgeorge.com.au/*
bbonline.stgeorge.com.au/html/cbank.asp*
[...]
business2.danskebank.co.uk/*
business2.danskebank.co.uk/pub/logon/logon.aspx*
businessaccess.citibank.citigroup.com/*
businessaccess.citibank.citigroup.com/cbusol/signon.do*
businessbankingcpo.tdcommercialbanking.com/*
businessbankingcpo.tdcommercialbanking.com/WBB/LoginDisplay*
businessonline.mutualofomahabank.com/*
businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp*
businessonline.westpac.com.au/*
businessonline.westpac.com.au/esis/Login/SrvPage*
butterfieldonline.co.uk/*
[..]
cdsadvfedpynmurspg52281.com
cdtnlxenizm47181.com
charisma.btdirect.ro/*
charisma.btdirect.ro/CharismaWEB/_Public/Login.aspx*
cib.uab.ae/*
cityntl.webcashmgmt.com/*
cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin*
clientlogin.ibb.ubs.com/*

For example, if a financial institution receives or see Dyre samples, they could rapidly detect and determine if their company is targeted by the sample.

We are using this plugin on clusters of samples to determine which group is targeting which institution. It may also provide insight on attribution.

Our Volatility plugin for Dyre is available on GitHub: https://github.com/kudelskisecurity-SOC/Volatility-plugins

One thought on “Volatility plugin for Dyre

  1. Hello,

    Thanks for sharing your code.

    I’m not sure if it just only me but when I tried using the plugin it somehow resulted to some kind of optparse.OptionConflictError.

    Here’s how it goes:

    1. First, I have copied the dyrescan plugin to my plugins folder.

    2. Running it produced no error.

    3. But when I tried calling the yarascan plugin even just by “yarascan -h” parameter, it results to
    optparse.OptionConflictError: option -C/–case: conflicting option string(s): -C

    I’m not sure where exactly the issue is? But downloading a fresh copy of volatility from github basically resolves the issue of “fixing” the optparse.OptionConflictError by running yarascan plugin again.

    Cheers,
    Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s