The Trojan targets websites of companies that provide order fulfillment, warehouse management, wholesale computer distribution and other services. Cyber-criminals using the Dyreza computer trojan appear to be shifting gears from online banking and moving into the industrial supply chain.New versions of Dyreza are configured to steal credentials for order fulfillment, warehousing, inventory management, e-commerce and other IT and supply chain services. This represents a deliberate strategy on the part of attackers to target new industries at all points across the supply chain, researchers from security firm Proofpoint said in a blog post.“We suspect a financial motivation,” they said. “Once an attacker has obtained login credentials for their targeted systems, the potential to harvest payment information, make fraudulent financial transfers, and even divert physical shipments is immense.”Dyreza first appeared in June 2014 and was originally designed to steal online banking credentials by injecting its code into the local browser processes and monitoring login sessions. This attack technique is known as man-in-the-browser (MITB) and is commonly used by online banking trojans. However, the attackers behind Dyreza have quickly developed an interest in more types of accounts. Over time, the trojan’s target list was expanded to include job hunting, file hosting, domain registration, website hosting, tax services and online retail websites. In September 2014, Salesforce.com issued an alert to customers that Dyreza is targeting Salesforce credentials.Last month, the Proofpoint researchers spotted over thirty new websites in the trojan’s hit list. They belong to fulfillment and warehousing service providers; wholesale computer distributors and companies that offer inventory management, credit card processing, print distribution, print management, marketing, information management, storage and other IT services. Shopify, Apple and Iron Mountain are on the list. “This latest evolution of Dyreza should dispel once and for all the myth that only financial institutions are targeted by credential-stealing MITB attacks from this malware strain.”The trojan is distributed through well-crafted email attacks that include documents with malicious macro scripts embedded in them.In one example, attackers sent an email masquerading as a secure message from a bank. The attached Word document included the bank’s logo and address, the date and what looked like an encrypted block of text. The page also has a “Secured by RSA” logo and the instruction to click on the “Enable Content” button in order to view the message.Clicking on the “Enable Content” button does not decrypt the text. Instead, it executes the embedded macro script which downloads and installs Dyreza. Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe