A strain of malware which previously targeted banks has turned its attention to users of the popular Customer Relationship Management (CRM) software Salesforce, used by 100,000 organizations and millions of subscribers, according to SC Magazine’s report.
Dyre, detected by ESET software as Win32/Battdil.A, is believed to be an entirely new strain of malware, and has in the past targeted users of large banks, siphoning data from machines to steal logins, with additional features allowing it to bypass some two-factor authentication systems.
Salesforce software posted a warning on its site this month saying, “Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”
Dyre has previously targeted Bank of America and Citigroup customers, as well as a number of British banks such as NatWest. It is thought to be delivered as a "service" to criminal customers: on sale to the highest bidder.
Salesforce software: Under threat from hi-tech malware
The Register says of the remote-access Trojan (RAT), “Once it's installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.”
It’s unclear why Salesforce software users are being targeted. SC Magazine speculates that the switch may be due to a specific order from a “customer”.
The magazine points out that while the company does not publish specific customer numbers of its Salesforce software, it’s estimated that 160,000 organizations and around five million subscribers use the cloud software.
Dyre: New strain of malware on sale to highest bidder
Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware. The news that it is targeting Salesforce software users is an entirely new "use" for the malware.
Dyre was initially designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.
The phishing campaign first used to spread the malware worked via asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox quickly removed the links from its system, but the hackers switched to Cubby, a similar service, to continue their campaign.