Dyreza banking malware now supports Windows 10, Edge browser

In the punch-counterpunch world of security it should be taken for granted that cyber thieves will try to find a way around security moves by vendors. So it should come as no surprise that those behind the Dyreza banking Trojan can now hook into Microsoft’s more secure Windows 10 operating system and Edge browser, in addition to earlier versions of Windows and other browsers.

According to Heimdal Security, a Denmark malware detection provider that discovered the latest variant, the update also  kills a series of processes linked to endpoint security software to make its infiltration into infected systems.

When an infected machine goes to an online banking website that the trojan targets it attempts to steal usernames and passwords and sends the stolen information to a malicious hacker.

Typically Dyreza is spread by random spam campaigns, the company says, although it has also been used to steal administrators’ credentials.

Adding support for Windows 10 for any malware isn’t unexpected. With Microsoft giving the OS away as an update to Windows 8 and 7 users the percentage of users is only going to grow. While they still dominate one reporter concluded by looking at data from devices that connect to U.S. government Web sites that the percentage of Win10 PCs has risen sharply.

Heimdal says there are estimates that Dyreza has already infected 80,000 machines from Windows Vista and up worldwide. The malware is typically delivered via the Upatre downloader.

The module that kills processes used in security software is called “aa32” (x86) for 32 bit or “aa64” (x64) for 64-bit, injecting itself in “spoolsv.exe” so it can evade detection.

Microsoft, which calls this trojan Dryzap, has issued this report to warn security teams on the malware. One clue an PC has been infected is discovering an encrypted log file in this format:  %APPDATA% \local\[random alpha numeric characters].exe  which sends collected data to a command and control server. Another warning sign is that a user is suddenly prompted by a firewall to allow higher access privleges to programs such asexplorer.exe and svchost.exe.

Earlier this month Malwarebytes published this technical report on Dyreza.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now