1. Home
  2. Software
  3. Dyre

Dyre

Dyre is a banking Trojan that has been used for financial gain. [1][2]

ID: S0024
Associated Software: Dyzap, Dyreza
Type: MALWARE
Platforms: Windows
Contributors: Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Version: 1.2
Created: 31 May 2017
Last Modified: 22 June 2020

Associated Software Descriptions

Name Description
Dyzap

[3]
Dyreza

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dyre uses HTTPS for C2 communications.[1][2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Dyre registers itself as a service by adding several Registry keys.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Dyre has the ability to create files in a TEMP folder to act as a database to store information.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Dyre decrypts resources needed for targeting the victim.[1][2]
Enterprise T1041 Exfiltration Over C2 Channel

Dyre has the ability to send information staged on a compromised host externally to C2.[2]
Enterprise T1105 Ingress Tool Transfer

Dyre has a command to download and executes additional files.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Dyre has been delivered with encrypted resources and must be unpacked for execution.[2]
Enterprise T1055 Process Injection

Dyre has the ability to directly inject its code into the web browser process.[2]
.001 Dynamic-link Library Injection

Dyre injects into other processes to load modules.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.[2]
Enterprise T1518 Software Discovery

Dyre has the ability to identify installed programs on a compromised host.[2]
Enterprise T1082 System Information Discovery

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[2]
Enterprise T1016 System Network Configuration Discovery

Dyre has the ability to identify network settings on a compromised host.[2]
Enterprise T1033 System Owner/User Discovery

Dyre has the ability to identify the users on a compromised host.[2]
Enterprise T1007 System Service Discovery

Dyre has the ability to identify running services on a compromised host.[2]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[1][2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[4][5][6]

References

  1. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  2. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  3. Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.
  1. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
  2. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
  3. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.