Dyre Update: Moving to Edge and Windows 10 With Anti-Antivirus
- by nlqip
Renewed Dyre Commands
Dyre uses a windows pipe for inter-process communication, passing commands from the main module it injects into the “windows explorer’ process to other processes. The commands are passed both to browsers launched by the user and stealthy worker-processes launched by the malware itself.
In the new sample, most of the commands discussed in previous F5 research have been replaced and a few new ones have been added, along with new functionality.
The following is a list of new commands and their functions:
- 0xF1″lli” – Get the botid name
- srvv – Get the C&C IP
- dpsr – Get the data POST server IP
- grop – Get the botnet name
- seli – Get the self-IP
- gcrc – Get the fake pages configuration
- gcrp – Get the server-side webinjects configuration
- pngd – Get the account information stolen by the pony module
- sexe – Among other jobs, it copies the droppee path and its content both to Dyre’s special structure and the configuration file on disk. It also tries to get the anti-antivirus module from the C&C.
- gsxe – Get the droppee path
Additional Protection Layers
Here is a list of new features designed to add protection from removal and detection:
Pipe Name
The pipe’s name is no longer hardcoded (e.g. “\\.\pipe\3obdw5e5w4”). It is now based on a hash of the computer name and windows OS version.
Source link
lol
Renewed Dyre Commands Dyre uses a windows pipe for inter-process communication, passing commands from the main module it injects into the “windows explorer’ process to other processes. The commands are passed both to browsers launched by the user and stealthy worker-processes launched by the malware itself. In the new sample, most of the commands discussed…