Bitcoin sites targeted using old vulnerability in Adobe (Dyreza Malware)
TrendMicro Labs has reported that it has spotted the old Adobe vulnerability being leveraged by cyber criminals to launch attacks against Bitcoin sites. The cyber criminals are using the old tried and tested vulnerabilities in Adobe product to inject Dyreza malware into Bitcoin related websites.
In its latest post it said that,
“We recently spotted DYREZA malware leveraging an old vulnerability found existing in Adobe Reader and Acrobat and covered under CVE-2013-2729. Accordingly, once this vulnerability is successfully exploited it could lead to the execution of arbitrary code on the affected system”
Dyreza
Dyreza is a banking malware which is spread through spammed emails.  The emails are sent to victims which contain a Adobe PDF file with a juicy and interesting name.  When the victim clicks on the PDF, it offloads its payload aka Dyreza which is then executed.  Once executed it exploits a old vulnerability in Adobe, CVE-2013-2729 and starts downloading the required files to steal the victims banking credentials.
DYREZA malware uses spammed message that purports to be an invoice notification as its infection vector. It has a malicious .PDF file attachment, detected by Trend Micro as TROJ_PIDIEF.YYJU. When executed, it exploits the CVE-2013-2729 vulnerability, which leads to the download of TSPY_DYRE.EKW, a variant of DYREZA (also known as DYRE and DYRANGES).
Bitcoin Targets spotted
Only in this case, the latest targets are Bitcoin related sites. Â Bitcoins are a powerful enticer for the cyber criminals both in terms of returns and in terms of anonymity(though it is not that anonymous).
TrendMicro notes that users and enterprises are at risk since DYREZA can get other types of data such as personal identifiable information (PII) and credentials via browser snapshots. One of its payloads, the CUTWAIL botnet leads to the download of both UPATRE and DYRE malware. Â The Dyre malware is notable for stealing vital information via injecting malicious codes onto certain banking and bitcoin login webpages. Dyre also has abilities to connect and transfer information to its handlers. Some of the bitcoin pages it monitors are:
bitbargain.co.uk/*
bitbargain.co.uk/login*
bitpay.com/*
bitpay.com/merchant-login*
localbitcoins.com/*
localbitcoins.com/accounts/login*
www.bitstamp.net/*
www.bitstamp.net/account/login*
The top country affected thus far from this latest attack are users from Ireland, United States, Canada, Great Britain, and Netherlands.
Solution
TrendMicro Labs states that the only solution against this attack is to update the related softwares and use prudence while opening any attachment.
