Dyre is a banking malware discovered in middle of 2014. It can intercept HTTPS traffic, using techniques documented in this Introduction to Dyreza.
In the context of our review of malware faced by customers, we need to rapidly respond and assess the risk. Dyre is malware found in such context, and we are releasing a Volatility plugin that we are using internally to dump configuration in memory for Dyre (Dyreza) samples.
By using this plugin, a security analyst can extract and report on the financial institutions targeted by the Dyre sample. See an example below of the targeted URL in the configuration file. We are running against a memory dump of a Dyre sample (MD5: ed74d93a7507471879385205fe92dd3c).
# vol.py --plugins=vol_plugins -f memory.dmp dyrescan
Volatility Foundation Volatility Framework 2.4
YARA rule: {'dyre_conf': 'rule dyre_conf {strings: $a = /<serverlist>/ condition: $a}'}
YARA offset: 0
Configuration size: 190000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (736)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (736)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configuration found in Process: svchost.exe (884)
[...]
banking.oyakankerbank.de/*
banking.steylerbank.de/*
banking.triodos.co.uk/*
banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550*
banking.triodos.co.uk/ib-seam/login.seam?loginType=username*
banking.valovisbank.de/*
banking.valovisbank.de/portal/*
bbonline.banksa.com.au/*
bbonline.banksa.com.au/html/cbank.asp*
bbonline.stgeorge.com.au/*
bbonline.stgeorge.com.au/html/cbank.asp*
[...]
business2.danskebank.co.uk/*
business2.danskebank.co.uk/pub/logon/logon.aspx*
businessaccess.citibank.citigroup.com/*
businessaccess.citibank.citigroup.com/cbusol/signon.do*
businessbankingcpo.tdcommercialbanking.com/*
businessbankingcpo.tdcommercialbanking.com/WBB/LoginDisplay*
businessonline.mutualofomahabank.com/*
businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp*
businessonline.westpac.com.au/*
businessonline.westpac.com.au/esis/Login/SrvPage*
butterfieldonline.co.uk/*
[..]
cdsadvfedpynmurspg52281.com
cdtnlxenizm47181.com
charisma.btdirect.ro/*
charisma.btdirect.ro/CharismaWEB/_Public/Login.aspx*
cib.uab.ae/*
cityntl.webcashmgmt.com/*
cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin*
clientlogin.ibb.ubs.com/*
For example, if a financial institution receives or see Dyre samples, they could rapidly detect and determine if their company is targeted by the sample.
We are using this plugin on clusters of samples to determine which group is targeting which institution. It may also provide insight on attribution.
Our Volatility plugin for Dyre is available on GitHub: https://github.com/kudelskisecurity-SOC/Volatility-plugins
Kudelski Security Research 
Hello,
Thanks for sharing your code.
I’m not sure if it just only me but when I tried using the plugin it somehow resulted to some kind of optparse.OptionConflictError.
Here’s how it goes:
1. First, I have copied the dyrescan plugin to my plugins folder.
2. Running it produced no error.
3. But when I tried calling the yarascan plugin even just by “yarascan -h” parameter, it results to
optparse.OptionConflictError: option -C/–case: conflicting option string(s): -C
I’m not sure where exactly the issue is? But downloading a fresh copy of volatility from github basically resolves the issue of “fixing” the optparse.OptionConflictError by running yarascan plugin again.
Cheers,
Roger