Dyre banking malware: Windows 10 and Edge browser now targets
Dyre, also known as Dyreza, appeared on the cybercrime scene in July 2014 and has quickly gained a reputation as a nasty piece of malware that aims to steal credentials.
It's been found to target Salesforce users and banking customers, and more recently was discovered to have been adapted to steal credentials from a range of supply-chain businesses, including fulfilment and warehousing, inventory-management software vendors and wholesale computer distributors.
Security firm Heimdal has reported that the malware -- sold as a cybercrime-for-hire service -- has now been updated to support the targeting of Windows 10 and its Edge browser.
The company estimates there are around 80,000 infected Windows machines. It notes that it is typically distributed via spam campaigns and is often delivered by a devious downloader known as Upatre, which Cisco detailed earlier this year.
As it stands, adding Windows 10 support only targets a sliver of the overall Windows user base given there were only 110 million devices running it in early October.
The latest version of Windows accounts for eight percent of the world's PCs, according to Netmarketshare figures. Still, the malware already supports Windows 7, Windows 8.1, XP and Vista.
Dyreza 'hooks' into browser processes and uses that privileged position to monitor for connections to specified domains and collect credentials as the victim keys them in. The style of attack is known as 'man in the browser'.
Microsoft has also updated its information on Dyreza, or Dyzap as it calls it, corroborating Heimdal's findings that the malware does indeed monitor Microsoft Edge, as well as Google Chrome, Internet Explorer and Mozilla Firefox.
The Redmond company this week detailed significant efforts to harden Edge against certain web attacks, but noted that its measures are far from offering a silver bullet against malware.
Microsoft also details about 150 domains of mostly US and European banking websites but also bitcoin websites that Dyreza monitors for.
According to Microsoft, if Windows users find the files %APPDATA%\local\[random alpha numeric characters].exe and %APPDATA%\local\[random alpha numeric characters].exe, they may be infected by the malware.
Another sign of infection is if users are "suddenly prompted by their firewall to allow higher access privileges to programs such as explorer.exe and svchost.exe".