Dyreza Campaigners Set Sights on the Fulfillment and Warehousing Industry

September 28, 2015
Proofpoint Staff

Overview

Within the last week, the now infamous “man-in-the-browser” (MITB) banking malware Dyreza appears to have significantly expanded its target set of entities from which to steal credentials.

Dyreza originally focused on intercepting end-user bank logins, and later expanded to job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories [2]. As of September 17th Dyreza  now counts an additional twenty organizations directly involved in Fulfillment and Warehousing; four software companies that support Fulfillment and Warehousing; five Wholesale Computer Distributors; and its credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems and many other well-known consumer- and business-facing technology and service brands.

Part I: The Phish

In a typical new campaign, for example the September 22 US-focused Dyre campaign (ID 2209us13), the attackers provided an email that was designed to appear as though it had come from a legitimate bank, and used the Subject line: “You have received a secure e-mail.” The email urged the user to read and reply to the secure email by opening the attachment while connected to the Internet.

Figure 1: Phishing email with attachment

Part II: The Attachment

When the email recipient opens the attachment, they encounter a ‘secure’ Office document. The document claims to be encrypted, and the user is urged to “PLEASE ENABLE CONTENT* TO SEE THIS DOCUMENT.” Pressing the “Enable Content” button in Word then enables macros embedded in the documents, which in turn activate a secondary payload. The attackers’ request for Internet connectivity (in the email body) is significant, as this specific macro, known as Xbagging or Bartallex [1], downloads the payload from Internet, rather than unpacking it from within an email attachment   a technique used to avoid detection by security programs.

Figure 2: The malicious attachment

The payload downloaded by the document is Upatre, which in turn downloads Dyreza. Dyreza in addition may download one of two dedicated spambots to further spread the botnet.

Part III: The New Targets

The specific changes Proofpoint observed are in the “<rpcgroup>” section of Dyreza’s configuration. This section contains directives to Dyreza to sniff POSTs within the users’ browser and send them to the Dyre C2. As can be seen below, the targeted companies include those in the Warehouse and Fulfillment business, as well as those that create Warehouse and Fulfillment software.

Conclusion

The specific changes observed represent a clear and deliberate strategy on the part of attackers to target a new industry, at all points across the supply chain. In that regard, this latest evolution of Dyreza should dispel once and for all the myth that only financial institutions are targeted by credential-stealing MITB attacks from this malware strain. The observed campaigns clearly use sophisticated malware and phishing techniques in targeted attacks against major Fulfillment, Warehousing, and Distribution targets. We suspect a financial motivation. Once an attacker has obtained login credentials for their targeted systems, the potential to harvest payment information, make fraudulent financial transfers, and even divert physical shipments is immense. In order to stay ahead of attackers, organizations should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.

Organizations Targeted for Interception and Credential Theft

Fulfillment and Warehousing:

Website

Services provided

accentbranding.com

Marketing, Ecommerce, Fulfillment

access.alivefulfillment.com

app.atcostfulfillment.com

Ecommerce, Fulfillment

app.shipwire.com

Logistics, Supply Chain Management and Order Fulfillment

elink.echodata.com

Fulfillment

fcp.efulfillmentservice.com

Ecommerce Fulfillment

fmw.ferbermidwest.com

Storage, distribution and fulfillment services and multiple warehouses

idsnet.teamidslogistics.com

Fulfillment & warehousing

inventory.landiscowhse.com

Warehousing

leadersystems.com.au

Manufacturer & distributor of high quality Information Communications Technology (ICT) products

login.webgistix.com

Procuring, warehousing, packaging and shipping

my.fulfillrite.com

eCommerce order fulfillment

secure.aerofulfillment.com

eCommerce Fulfillment Services

wdlsslc.idsfulfillment.com

Fulfillment

web.nfsrv.com

Fulfillment

www.capacityllc.com

Fulfillment

www.four51.com

Online order management system for B2B eCommerce

www.fsifulfillment.com

Online Order Fulfillment, Warehousing

www.sprocketexpress.com

Ecommerce, Order Processing, Fulfillment and Back-Office service

www.swfulfillment.com

Specialty Fulfillment Center

 

Software: Inventory management, Warehouse Management, Ecommerce Platform, etc

Website

Services provided

qnet.e-quantum2k.com

Software: print distribution, order entry, inventory management, accounts receivable / payable, ledger, credit card processing, sales tax import, etc

secure-wms.com

Warehouse Management Software

speedorder.speedfc.com

www.speedcommerce.com

Ecommerce platform development; hosting, managed ecommerce, and marketing services; order and inventory management; pick, pack, and ship; returns processing; and 24/7 customer care

www.shopify.com

Build your online store with Shopify's ecommerce software

 

Wholesale Computer Distributors:

Website

Services provided

ec.synnex.com

www.synnex.ca

Information technology supply chain services. Canadian Wholesale Computer Distributor.

us-new.ingrammicro.com

Wholesale technology products distributor; sales and distribution network

www.anyware.com.au

Importers and wholesalers of computer components and peripherals

www.bluechipit.com.au

National wholesalers of computer components, systems and peripherals

www.bluepoint.net

UK Distributor of IT Products: Components, Peripherals, Systems and Notebooks

 

Other:

Website

Services provided

secure*.store.apple.com

Apple

li.ironmountain.com

Storage and information management

www.otterbox.com

Smartphone Case manufacturer

www.badgergraphics.com

Print management and marketing firm

 

IOCs

Value

Type

5f707df691a7820bfe530f394bef61c1f7fd48496bff120bd2bcb6c9c9a550ae

Attachment hash

afce5c6f08f26ebb12b9724fcb04009a9d54bb02c388e686135a381cecda8237

Upatre (id 22_U13) hash

dc8849a7d9c25b4168327259bfd82e83bb308485824664b19e79c6c6be998f8c

Dyreza (id 2209us13) hash

197.149.90.166

Upatre C2

195.154.105.117:443

Dyreza C2

217.12.202.99:443

Dyreza C2

[hxxp://quotearabiasale[.]com/wp-content/themes/ePix/lib/adm/inc/phpFlickr/cache/5716367236.txt]

Xbagging additional code

[hxxp://sahabatbuku[.]com/wp-content/themes/bazar/core/assets/images/menu/5716367236.txt]

Xbagging additional code

[hxxp://quotearabiasale[.]com/wp-content/themes/ePix/lib/adm/inc/phpFlickr/cache/pipi.txt]

Xbagging payload URL

[hxxp://sahabatbuku[.]com/wp-content/themes/bazar/core/assets/images/menu/pipi.txt]

Xbagging payload URL

[hxxp://pcsolutionsexpert[.]com/wp-content/uploads/2015/08/calc.exe]

Upatre

[hxxps://94.40.82.66/Ares13.zip]

Upatre Downloading Dyre

[hxxps://94.141.130.9/Ares13.zip]

Upatre Downloading Dyre

[hxxps://91.246.105.164/Ares13.zip]

Upatre Downloading Dyre

[hxxps://89.239.120.43/Ares13.zip]

Upatre Downloading Dyre

[hxxps://87.249.142.189/Ares13.zip]

Upatre Downloading Dyre

[hxxps://85.135.104.170/Ares13.zip]

Upatre Downloading Dyre

[hxxps://82.160.64.45/Ares13.zip]

Upatre Downloading Dyre

[hxxps://82.115.76.211/Ares13.zip]

Upatre Downloading Dyre

[hxxps://78.72.233.105/Ares13.zip]

Upatre Downloading Dyre

[hxxps://78.108.101.67/Ares13.zip]

Upatre Downloading Dyre

[hxxps://77.48.30.156/Ares13.zip]

Upatre Downloading Dyre

[hxxps://72.230.82.80/Ares13.zip]

Upatre Downloading Dyre

[hxxps://72.175.10.116/Ares13.zip]

Upatre Downloading Dyre

[hxxps://69.9.204.114/Ares13.zip]

Upatre Downloading Dyre

[hxxps://69.144.171.44/Ares13.zip]

Upatre Downloading Dyre

[hxxps://68.70.242.203/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.222.201.61/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.222.201.222/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.221.195.6/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.221.147.66/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.207.229.215/Ares13.zip]

Upatre Downloading Dyre

[hxxps://65.33.236.173/Ares13.zip]

Upatre Downloading Dyre

[hxxps://63.248.156.246/Ares13.zip]

Upatre Downloading Dyre

[hxxps://45.64.159.18/Ares13.zip]

Upatre Downloading Dyre

[hxxps://42.47.213.123/Ares13.zip]

Upatre Downloading Dyre

[hxxps://37.57.144.177/Ares13.zip]

Upatre Downloading Dyre

[hxxps://27.109.20.53/Ares13.zip]

Upatre Downloading Dyre

[hxxps://24.33.131.116/Ares13.zip]

Upatre Downloading Dyre

[hxxps://24.148.217.188/Ares13.zip]

Upatre Downloading Dyre

[hxxps://213.92.138.154/Ares13.zip]

Upatre Downloading Dyre

[hxxps://209.27.49.117/Ares13.zip]

Upatre Downloading Dyre

[hxxps://208.117.68.78/Ares13.zip]

Upatre Downloading Dyre

[hxxps://203.129.197.50/Ares13.zip]

Upatre Downloading Dyre

[hxxps://203.115.103.27/Ares13.zip]

Upatre Downloading Dyre

[hxxps://197.210.199.21/Ares13.zip]

Upatre Downloading Dyre

[hxxps://194.28.191.245/Ares13.zip]

Upatre Downloading Dyre

[hxxps://186.68.94.38/Ares13.zip]

Upatre Downloading Dyre

[hxxps://185.89.64.160/Ares13.zip]

Upatre Downloading Dyre

[hxxps://180.233.123.210/Ares13.zip]

Upatre Downloading Dyre

[hxxps://176.101.135.103/Ares13.zip]

Upatre Downloading Dyre

[hxxps://173.248.31.6/Ares13.zip]

Upatre Downloading Dyre

[hxxps://173.216.247.74/Ares13.zip]

Upatre Downloading Dyre

[hxxps://150.129.49.11/Ares13.zip]

Upatre Downloading Dyre

[hxxps://142.47.213.123/Ares13.zip]

Upatre Downloading Dyre

[hxxps://112.133.203.43/Ares13.zip]

Upatre Downloading Dyre

[hxxps://109.199.11.51/Ares13.zip]

Upatre Downloading Dyre

[hxxps://94.40.82.66/Ares13.zip]

Upatre Downloading Dyre

[hxxps://94.141.130.9/Ares13.zip]

Upatre Downloading Dyre

[hxxps://91.246.105.164/Ares13.zip]

Upatre Downloading Dyre

[hxxps://89.239.120.43/Ares13.zip]

Upatre Downloading Dyre

[hxxps://87.249.142.189/Ares13.zip]

Upatre Downloading Dyre

[hxxps://85.135.104.170/Ares13.zip]

Upatre Downloading Dyre

[hxxps://82.160.64.45/Ares13.zip]

Upatre Downloading Dyre

[hxxps://82.115.76.211/Ares13.zip]

Upatre Downloading Dyre

[hxxps://78.72.233.105/Ares13.zip]

Upatre Downloading Dyre

[hxxps://78.108.101.67/Ares13.zip]

Upatre Downloading Dyre

[hxxps://77.48.30.156/Ares13.zip]

Upatre Downloading Dyre

[hxxps://72.230.82.80/Ares13.zip]

Upatre Downloading Dyre

[hxxps://72.175.10.116/Ares13.zip]

Upatre Downloading Dyre

[hxxps://69.9.204.114/Ares13.zip]

Upatre Downloading Dyre

[hxxps://69.144.171.44/Ares13.zip]

Upatre Downloading Dyre

[hxxps://68.70.242.203/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.222.201.61/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.222.201.222/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.221.195.6/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.221.147.66/Ares13.zip]

Upatre Downloading Dyre

[hxxps://67.207.229.215/Ares13.zip]

Upatre Downloading Dyre

[hxxps://65.33.236.173/Ares13.zip]

Upatre Downloading Dyre

[hxxps://63.248.156.246/Ares13.zip]

Upatre Downloading Dyre

[hxxps://45.64.159.18/Ares13.zip]

Upatre Downloading Dyre

[hxxps://42.47.213.123/Ares13.zip]

Upatre Downloading Dyre

[hxxps://37.57.144.177/Ares13.zip]

Upatre Downloading Dyre

[hxxps://27.109.20.53/Ares13.zip]

Upatre Downloading Dyre

[hxxps://24.33.131.116/Ares13.zip]

Upatre Downloading Dyre

[hxxps://24.148.217.188/Ares13.zip]

Upatre Downloading Dyre

[hxxps://213.92.138.154/Ares13.zip]

Upatre Downloading Dyre

[hxxps://209.27.49.117/Ares13.zip]

Upatre Downloading Dyre

[hxxps://208.117.68.78/Ares13.zip]

Upatre Downloading Dyre

[hxxps://203.129.197.50/Ares13.zip]

Upatre Downloading Dyre

[hxxps://203.115.103.27/Ares13.zip]

Upatre Downloading Dyre

[hxxps://197.210.199.21/Ares13.zip]

Upatre Downloading Dyre

[hxxps://194.28.191.245/Ares13.zip]

Upatre Downloading Dyre

[hxxps://186.68.94.38/Ares13.zip]

Upatre Downloading Dyre

[hxxps://185.89.64.160/Ares13.zip]

Upatre Downloading Dyre

67.221.147.103:4443

Dyre C2

67.221.156.105:4443

Dyre C2

78.8.174.25:443

Dyre C2

195.154.106.76:443

Dyre C2

173.252.48.79:443

Dyre C2

212.182.101.2:4443

Dyre C2

78.8.9.55:443

Dyre C2

185.74.84.55:443

Dyre C2

91.232.45.149:443

Dyre C2

91.232.45.40:443

Dyre C2

67.221.156.165:443

Dyre C2

89.161.51.115:4443

Dyre C2

109.87.63.98:443

Dyre C2

114.30.73.130:443

Dyre C2

115.119.250.245:443

Dyre C2

173.252.50.124:4443

Dyre C2

181.174.91.90:443

Dyre C2

186.46.142.66:443

Dyre C2

188.255.154.180:4443

Dyre C2

195.191.34.245:443

Dyre C2

206.116.171.216:443

Dyre C2

206.123.60.93:4443

Dyre C2

212.109.179.197:443

Dyre C2

216.57.165.182:443

Dyre C2

67.221.146.67:4443

Dyre C2

67.221.146.107:4443

Dyre C2

67.221.156.216:4443

Dyre C2

69.27.57.164:4443

Dyre C2

83.241.176.230:4443

Dyre C2

89.140.63.207:443

Dyre C2

103.230.220.8:443

Dyre C2

109.86.226.85:443

Dyre C2

150.129.48.147:443

Dyre C2

150.129.49.139:443

Dyre C2

173.185.166.94:4443

Dyre C2

176.120.201.9:443

Dyre C2

181.112.153.202:443

Dyre C2

184.190.64.35:4443

Dyre C2

188.120.194.101:4443

Dyre C2

206.123.58.42:4443

Dyre C2

208.123.135.106:4443

Dyre C2

82.100.4.60:443

Dyre C2

150.129.49.162:443

Dyre C2

188.125.38.100:443

Dyre C2

213.92.204.37:443

Dyre C2

91.238.241.26:443

Dyre C2

84.54.191.170:443

Dyre C2

89.174.116.76:443

Dyre C2

195.117.104.102:443

Dyre C2

193.189.77.76:443

Dyre C2

91.239.244.187:443

Dyre C2

46.174.237.115:443

Dyre C2

73.38.228.117:4443

Dyre C2

206.222.25.58

Dyre C2

195.154.105.117:443

Dyre C2

217.12.202.99:443

Dyre C2

67.221.147.103:4443

Dyre C2

67.221.156.105:4443

Dyre C2

78.8.174.25:443

Dyre C2

195.154.106.76:443

Dyre C2

173.252.48.79:443

Dyre C2

212.182.101.2:4443

Dyre C2

78.8.9.55:443

Dyre C2

185.74.84.55:443

Dyre C2

91.232.45.149:443

Dyre C2

91.232.45.40:443

Dyre C2

67.221.156.165:443

Dyre C2

89.161.51.115:4443

Dyre C2

109.87.63.98:443

Dyre C2

114.30.73.130:443

Dyre C2

115.119.250.245:443

Dyre C2

173.252.50.124:4443

Dyre C2

181.174.91.90:443

Dyre C2

186.46.142.66:443

Dyre C2

188.255.154.180:4443

Dyre C2

195.191.34.245:443

Dyre C2

206.116.171.216:443

Dyre C2

206.123.60.93:4443

Dyre C2

212.109.179.197:443

Dyre C2

216.57.165.182:443

Dyre C2

67.221.146.67:4443

Dyre C2

67.221.146.107:4443

Dyre C2

 

References

[1] https://www.proofpoint.com/us/threat-insight/post/Its-Not-Personal-Its-Business

[2] www.threattracksecurity.com/it-blog/dyre-targets-more-websites/