Fake Pages

An attack vector that strongly identified the Dyre malware is massively used now by Dridex authors. To accomplish that, the latest uses the same old “redirection” technique. The malware part that resides inside the browser implementation (“Man-in-the-Browser”) is able to intercept the browser’s requests sent to any domain and redirect them to the attacker’s controlled server. The redirection details of which requests to redirect and their exact destination are controlled using the “redirect” directive in the malware configuration.

By using this redirection technique, attackers could fetch an external malicious script in their code by using the bank’s domain name in the script’s source URL. For example, the malware can inject a script with a source of “www.mybank.com/evil_script.js”. This request is intercepted by the Trojan in the browser and the bank’s domain name is replaced with the fraudster’s domain, like “www.evil.com/evil_script.js”. This way the fraudsters could avoid exposing their domain name in the code injected to the bank’s page and make the request to the external malicious script look legitimate. By observing the attributes of the “redirect” directive in the configuration, it seems also to be related to the VNC and SOCKS functionality of the malware.

This redirection functionality was leveraged to also redirect requests for login pages.