Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites. In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency, payroll services, private keys, and enterprise software. Figure 1 shows how this family can get onto your machine.
Figure 1: Dyzap infection chain
It is interesting to note that Win32/Upatre was distributing Win32/Zbot (aka Gameover v1) and Win32/Crilock (aka CryptoLocker). Following a multi-national action against the GameOver Zeus botnet in June last year, Upatre slowly began distributing Dyzap instead. This change is reflected in the telemetry below.
Figure 2: Monthly machine telemetry for Dyzap
Figure 3: Monthly file telemetry for Dyzap
Dyzap also seems to primarily target English-speaking countries such the USA, Canada, and the UK.
Figure 4: The ten countries most affected by Dyzap infections
Upatre distribution and the Dyzap payload
Upatre malware that distributes Dyzap typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a document and the body of email reads: “Please look your document attached”.
Figure 5: An example spam email sent by Upatre
The attachment contains a malicious ZIP file. We have seen it use the name document81723.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or Adobe PDF document as shown in the example below:
Figure 6: Malicious ZIP file
We’ve also seen examples claim to be an invoice that has been paid, a wire transfer has been received, or an internal-only document:
Figure 7: Another example of Upatre spam email
If this threat is successfully installed, the latest variant will try to connect to the following URLs to download other malware components:
The downloaded components are encrypted and contain PWS:Win32/Dyzap.F.
Dyzap – stealing your data
The Dyzap family is a banking and financial trojan that targets both enterprise and home users. For example, we have seen this family target the following services:
- Bitcoin and crypto-currency websites
- Online banking websites
- Payroll systems
- SalesForce enterprise software
The full list of targets that we have seen is included in the Appendix of this blog.
PWS:Win32/Dyzap.F downloads a memory-resident component called Grabber.dll that grabs the certificate stores as well as any referenced private keys from the system and browsers. Some enterprises using smart-cards for authentication or individuals using smart-cards for online banking two-factor authentication may see a prompt to insert a smart card as Dyzap searches for the private key contained on their smart card:
Figure 8: Smart card prompt on Windows 7
Figure 9: Smart card prompt on Windows 8.1
Figure 10 – Dyzap’s ‘Grabber.dll’ memory-resident component code exporting certificates and corresponding private keys if available
Figures 8 and 9 show the user prompt from Microsoft Cryptographic Services provided through the crypt32.dll PFXExportCertStoreEx function. Smart cards are typically designed to make it difficult to extract their private keys, and even if the user were to insert a smart card containing their private key it would not be stolen by Dyzap in most cases. However, certificates and private key pairs not stored on smart cards are at a particularly high risk of being stolen. The implications of these stolen pairs can be severe, since they are often used for purposes such as code signing, file encryption, and authentication.
Dyzap also loads another memory-resident component that provides VNC access to the infected machine – giving a malicious hacker access to remotely monitor or control the infected machine. The attackers are able to use this feature to carry out a transaction, transfer, or payroll modification from the infected machine itself.
Detecting and removing Dyzap
After removing a Upatre or Dyzap infection, enterprises should:
- Reset any passwords on infected machines and any credentials that the machine can access.
- Revoke and replace any keys which the infected machine had access to the private keys for.
- Audit any enterprise systems, payroll systems, and bank accounts that the infected machines can access, for fraudulent transactions or manipulations.
Home users should :
- Change their online banking credentials after cleaning up the threat.
- Review recent bank transfers to make sure there hasn’t been any fraudulent transactions.
- Change account passwords if the PC has been used to access crypto-currency related websites.
- Review recent activities related to crypto-currency related tasks.
Geoff McDonald, Patrick Estavillo and Rodel Finones
Table 1 – Dyzap targets as of December, 2014