MSRT January 2015 – Dyzap


​This month we added the Win32/Emotet and Win32/Dyzap malware families to the Malicious Software Removal Tool.

Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites. In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency, payroll services, private keys, and enterprise software. Figure 1 shows how this family can get onto your machine.

Infection chain

Figure 1: Dyzap infection chain

It is interesting to note that Win32/Upatre was distributing Win32/Zbot (aka Gameover v1) and Win32/Crilock (aka CryptoLocker). Following a multi-national action against the GameOver Zeus botnet in June last year, Upatre slowly began distributing Dyzap instead. This change is reflected in the telemetry below.

telemetry for Dyzap

Figure 2: Monthly machine telemetry for Dyzap

Monthly file telemetry

Figure 3: Monthly file telemetry for Dyzap

Dyzap also seems to primarily target English-speaking countries such the USA, Canada, and the UK.

The ten countries most affected

Figure 4: The ten countries most affected by Dyzap infections

Upatre distribution and the Dyzap payload

Upatre malware that distributes Dyzap typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a document and the body of email reads: “Please look your document attached”.

example spam email

Figure 5: An example spam email sent by Upatre

The attachment contains a malicious ZIP file. We have seen it use the name document81723.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or Adobe PDF document as shown in the example below:

ZIP file

Figure 6: Malicious ZIP file

We’ve also seen examples claim to be an invoice that has been paid, a wire transfer has been received, or an internal-only document:

Upatre spam email

Figure 7: Another example of Upatre spam email

If this threat is successfully installed, the latest variant will try to connect to the following URLs to download other malware components:

  • nikahsekerievi.com/wp-includes/<removed>/<removed>.pne
  • morye.net/mandoc/<removed>.pne

The downloaded components are encrypted and contain PWS:Win32/Dyzap.F.

Dyzap – stealing your data

The Dyzap family is a banking and financial trojan that targets both enterprise and home users. For example, we have seen this family target the following services:

  • Bitcoin and crypto-currency websites
  • Online banking websites
  • Payroll systems
  • SalesForce enterprise software

The full list of targets that we have seen is included in the Appendix of this blog.

PWS:Win32/Dyzap.F downloads a memory-resident component called Grabber.dll that grabs the certificate stores as well as any referenced private keys from the system and browsers. Some enterprises using smart-cards for authentication or individuals using smart-cards for online banking two-factor authentication may see a prompt to insert a smart card as Dyzap searches for the private key contained on their smart card:

Windows 7

Figure 8:  Smart card prompt on Windows 7

Windows 8

Figure 9:  Smart card prompt on Windows 8.1

Grabber.dll

Figure 10 – Dyzap’s ‘Grabber.dll’ memory-resident component code exporting certificates and corresponding private keys if available

Figures 8 and 9 show the user prompt from Microsoft Cryptographic Services provided through the crypt32.dll PFXExportCertStoreEx function. Smart cards are typically designed to make it difficult to extract their private keys, and even if the user were to insert a smart card containing their private key it would not be stolen by Dyzap in most cases. However, certificates and private key pairs not stored on smart cards are at a particularly high risk of being stolen. The implications of these stolen pairs can be severe, since they are often used for purposes such as code signing, file encryption, and authentication.

Dyzap also loads another memory-resident component that provides VNC access to the infected machine – giving a malicious hacker access to remotely monitor or control the infected machine. The attackers are able to use this feature to carry out a transaction, transfer, or payroll modification from the infected machine itself.

Detecting and removing Dyzap

Microsoft security products, such as Microsoft Security Essentials, include detection for Upatre and Dyzap. To help stay protected you should keep your security software up-to date.

After removing a Upatre or Dyzap infection, enterprises should:

  1. Reset any passwords on infected machines and any credentials that the machine can access.
  2. Revoke and replace any keys which the infected machine had access to the private keys for.
  3. Audit any enterprise systems, payroll systems, and bank accounts that the infected machines can access, for fraudulent transactions or manipulations.

Home users should :

  1. Change their online banking credentials after cleaning up the threat.
  2. Review recent bank transfers to make sure there hasn’t been any fraudulent transactions.
  3. Change account passwords if the PC has been used to access crypto-currency related websites.
  4. Review recent activities related to crypto-currency related tasks.

Geoff McDonald, Patrick Estavillo and Rodel Finones
MMPC

Appendix

Table 1 – Dyzap targets as of December, 2014

​365online.com
access.jpmorgan.com
accounts.expresscoin.com
achieveaccess.charterone.com
aibinternetbanking.aib.ie
alolb1.arbuthnotlatham.co.uk
anxbtc.com
anz.com
anztransactive.anz.com
ap.ebs.bankofchina.com
apps.bhw.de
apps.virginmoney.com
arabi-online.net
asbolb.com
asl.com
auth.globalpay.westernunion.com
bank.barclays.co.uk
bank.ruralbank.com.au
bankdirect.co.nz
banking.axa.de
banking.bankhaus-mayer.de
banking.bankofscotland.co.uk
banking.bmwbank.de
banking.commerzfinanz.com
banking.degussa-bank.de
banking.donner-reuschel.de
banking.ing-diba.de
banking.ireland-bank.com
banking.martinbank.de
banking.nfbank.de
banking.oyakankerbank.de
banking.steylerbank.de
banking.triodos.co.uk
banking.valovisbank.de
bankline.natwest.com
bankline.rbs.com
bankline.ulsterbank.ie
bankofirelandlifeonline.ie
barclayswealth.com
bbonline.bankofmelbourne.com.au
bbonline.banksa.com.au
bbonline.stgeorge.com.au
bcv.ch
bitbargain.co.uk
bitpay.com
bitstamp.net
blcweb.banquelaurentienne.ca
blockchain.info
bnz.co.nz
boi-bol.com
bol.westpac.co.nz
bolpp.bankofireland.com
brdoffice.ro
btultra.btrl.ro
bureau.bottomline.co.uk
business.co-operativebank.co.uk
business.hsbc.co.uk
business.santander.co.uk
business2.danskebank.co.uk
business2.danskebank.ie
businessaccess.citibank.citigroup.com
businessbankingcpo.tdcommercialbanking.com
businesscenter.mysynchrony.com
business-eb.ibanking-services.com
businessonline.mutualofomahabank.com
businessonline.westpac.com.au
butterfieldonline.co.uk
bv-activebanking.de
cardonebanking.com
cashproonline.bankofamerica.com
caterallenonline.co.uk
cbfm.saas.cashfac.com
cbionline.cbi.ae
ceconline.ro
charisma.btdirect.ro
chsec.wellsfargo.com
cib.uab.ae
citibank.com.au
cityntl.webcashmgmt.com
clients.tilneybestinvest.co.uk
cmo.cibc.com
cmol.bbt.com
coinbase.com
commerceconnections.commercebank.com
commercial.bnc.ca
commercial.hsbc.com.hk
corporate.adcb.com
corporate.metrobankonline.co.uk
corporate.santander.co.uk
corporate-clients.commerzbank.com
dab-bank.de
dashboard.gocoin.com
db-direct.db.com
db-sg.db.com
deutschebank-dbdirect.com
e-access.compassbank.com
eadibcorp.adib.ae
ebaer.juliusbaer.com
ebank.turkishbank.co.uk
ebanking.schwaebische-bank.de
ebanking2.danskebank.co.uk
ebanking-ch2.ubs.com
esavings.shawbrook.co.uk
express.53.com
extra.unicreditbank.hu
fareastnationalbank.ebanking-services.com
fastbanking.bancpost.ro
fcsolb.com
fdonline.co-operativebank.co.uk
fidelitytopeka.btbanking.com
financepilot-pe.mlp.de
finanzportal.fiducia.de
firstmerit.com
firstmeritib.com
flexipurchase.com
fx.regions.com
globalpay.westernunion.com
goldman.com
halifax-online.co.uk
hbciweb.olb.de
home1.ybonline.co.uk
home2.cybusinessonline.co.uk
homebank.tsbbank.co.nz
ht.businessonlinepayroll.com
ib.banksyd.com.au
ib.boq.com.au
​ib.btrl.ro
ib.kiwibank.co.nz
ib.tmbank.com.au
ibank.gtbankuk.com
ibank.reliancebankltd.com
ibank.sbs.net.nz
ibank.theaccessbankukltd.co.uk
ibank.zenith-bank.co.uk
ibb.firsttrustbank1.co.uk
ibs.bankwest.com.au
ibusinessbanking.aib.ie
inba.lukb.ch
inetbnkp.adelaidebank.com.au
infinity.icicibank.co.uk
ingonline.com
internationalpayments.co.uk
internet-banking.dbs.com.sg
internetbanking.suncorpbank.com.au
investbank.ae
iombankibanking.com
kbinternetbanking.com
ktt.key.com
kunden.commerzbank.de
kunden-mkb-bank.de
leumionline.bankleumi.co.uk
lloydslink.online.lloydsbank.com
localbitcoins.com
login.24banking.ro
login.isso.db.com
login.salesforce.com
login.smartbusiness.ae
meine.deutsche-bank.de
mercantilcbonline.com
mkbag.de
my.banklenz.de
my.commbank.com.au
my.hypovereinsbank.de
my.sjpbank.co.uk
my.statestreet.com
myinvestorsbank.btbanking.com
nabconnect2.nab.com.au
natwestibanking.com
nebasilicon.fdecs.com
net.crediteurope.ro
netbanking.mashreqbank.com
netbanking.ubluk.com
netteller2.tsw.com.au
netteller3.pnbank.com.au
noorinternetbanking.com
northrimbankonline.btbanking.com
nwolb.com
online.adambank.com
online.bankmecu.com.au
online.bankofcyprus.co.uk
online.bankofscotland.co.uk
online.citi.eu
online.corp.westpac.com.au
online.coutts.com
online.dib.ae
online.duncanlawrie.com
online.ebs.ie
online.hbs.net.au
online.hoaresbank.co.uk
online.kbc.ie
online.multiport.com.au
online.nbad.com
online.ybs.co.uk
onlinebanking.bankcoop.ch
onlinebanking.iombank.com
onlinebanking.natwestoffshore.com
online-business.bankofscotland.co.uk
onlinebusiness.lloydsbank.co.uk
open24.ie
personal.co-operativebank.co.uk
pfo.us.hsbc.com
private.bankofsingapore.com
raiffeisenonline.ro
rakbankonline.ae
rbsdigital.com
rbsidigital.com
rbsiibanking.com
retail.santander.co.uk
ro.unicreditbanking.net
s2b.standardchartered.com
safello.com
santander.hpdsc.com
secure.ampbanking.com
secure.anz.co.nz
secure.coinjar.com
secure.defencebank.com.au
secure.handelsbanken.com
secure.internetbanking.ro
secure.macquarie.com.au
secure.membersaccounts.com
secure.tddirectinvesting.co.uk
secure1.rabodirect.co.nz
secure2.alphabank.ro
securentrycorp.amegybank.com
securentrycorp.calbanktrust.com
securentrycorp.nsbank.com
securentrycorp.zionsbank.com
sg.bibplus.uobgroup.com
signatureny.web-access.com
standardlife.co.uk
svbconnect.com
tb.raiffeisendirect.ch
tdetreasury.tdbank.com
treasury.pncbank.com
ulsterbankanytimebanking.ie
uniservices2.uobgroup.com
us.hsbcprivatebank.com
usgateway.rbs.com
velocity.ocbc.com
wealth.goldman.com
webcmpr.bancopopular.com
wellsoffice.wellsfargo.com
www1.firstdirect.com
www1.my.commbiz.commbank.com.au
www1.rbcbankusa.com
www22.bmo.com
www6.rbc.com
www8.comerica.com
wwwsec.ebanking.zugerkb.ch
wwwsec.valiant.ch
youinvest.co.uk

Comments (3)

  1. adwbust says:

    Does UAC prompt for scr execution now? UAC should have a file extension blacklist update-able through WU.

    MS and IE cert stores shouldn't be accessible to dlls that arent whitelisted nor signed! Create a behavior sig for such suspect access.

  2. adwbust says:

    MS discontinued ANS out of impulse to save face. It didn't save face as hoped though. MS seriously needs to invest more on engineers that are quality and not outsourced. Maybe cut out on marketing since the name is already household known? Also team building
    and coordination. MS might have their own antivirus dept but said team isn't closely coordinating with the Windows, Office, etc teams. There's a barrier between the teams. Sad. Change the company culture.

    http://blogs.technet.com/b/msrc/archive/2015/01/07/evolving-advance-notification-service-ans-in-2015.aspx

  3. Brad p says:

    Microsoft essitintials is not resolving my issues. It finds the item however it does not permanently remove it.

Skip to main content