Researchers at PhishMe uncovered a new malware threat dubbed “Dyre” about a month ago. Now, a new blog post from PhishMe provides intricate details about a new variation on Dyre that provide a look at the potential source and impact of the threat.
Dyre is a RAT (root access Trojan). Dyre is part of a new generation of phishing scams that make use of cloud-based file sharing services like Dropbox or LogMeIn’s Cubby. The phishing attack distributes links via email to lure unsuspecting users into downloading the malicious file from the file sharing service. Once it is executed, Dyre phones home to designated IP addresses to download additional malicious tools, and attempts to intercept and compromise banking credentials and other sensitive data.
The new attack has been called “Slava Ukraini”. The phrase, which translates to “Glory to Ukraine”, is embedded in the code of the new variant. PhishMe researchers were able to access the associated Google Analytics account for the malware, revealing information about just how many potential victims have clicked on the link, as well as which browsers have been used, and which countries the victims are in.
The phrase “Slava Ukrainin” would seem to suggest that the malware is authored by someone in the Ukraine. However, that is merely an assumption. It could be written by malware developers sympathetic to the Ukrainian cause, or even perhaps by Russian loyalists in an attempt to obfuscate its true source and lay the blame on Ukraine.
What is most concerning about Slava Ukraini is the apparently low rate of detection by antimalware defenses. According to PhishMe, one component is detected by only 12 out of 53 AV vendors, and other elements are detected by only 10 and 11 AV vendors respectively. Hopefully users have enough common sense not to click on suspicious links or download and execute unknown files, but for those who lack that common sense it doesn’t bode well that only 20 percent of the AV vendors provide adequate protection against the underlying malware.