In the punch-counterpunch world of security it should be taken for granted that cyber thieves will try to find a way around security moves by vendors. So it should come as no surprise that those behind the Dyreza banking Trojan can now hook into Microsoft’s more secure Windows 10 operating system and Edge browser, in addition to earlier versions of Windows and other browsers.
According to Heimdal Security, a Denmark malware detection provider that discovered the latest variant, the update also kills a series of processes linked to endpoint security software to make its infiltration into infected systems.
When an infected machine goes to an online banking website that the trojan targets it attempts to steal usernames and passwords and sends the stolen information to a malicious hacker.
Typically Dyreza is spread by random spam campaigns, the company says, although it has also been used to steal administrators’ credentials.
Adding support for Windows 10 for any malware isn’t unexpected. With Microsoft giving the OS away as an update to Windows 8 and 7 users the percentage of users is only going to grow. While they still dominate one reporter concluded by looking at data from devices that connect to U.S. government Web sites that the percentage of Win10 PCs has risen sharply.
Heimdal says there are estimates that Dyreza has already infected 80,000 machines from Windows Vista and up worldwide. The malware is typically delivered via the Upatre downloader.
The module that kills processes used in security software is called “aa32” (x86) for 32 bit or “aa64” (x64) for 64-bit, injecting itself in “spoolsv.exe” so it can evade detection.
Microsoft, which calls this trojan Dryzap, has issued this report to warn security teams on the malware. One clue an PC has been infected is discovering an encrypted log file in this format: %APPDATA% \local\[random alpha numeric characters].exe which sends collected data to a command and control server. Another warning sign is that a user is suddenly prompted by a firewall to allow higher access privleges to programs such asexplorer.exe and svchost.exe.
Earlier this month Malwarebytes published this technical report on Dyreza.