Ahmed Sonbol

Detecting a Dyzap variant using RSA NetWitness

Blog Post created by Ahmed Sonbol Employee on Nov 18, 2016

Dyzap is an information stealer that has been around for a while. The malware has the ability to steal usernames and passwords of e-mail, banking and social media accounts. A new variant has been recently spreading through phishing messages. In this blog post we will discuss how to detect it using RSA NetWitness.

 

Once the malware infects a victim machine, it starts sending data to its server via an HTTP POST request:


 

Similar network activity originates from different machines infected with Dyzap:


 

The same user-agent string is used across all the sessions. On RSA NetWitness you can develop an app rule to detect Dyzap traffic:

            service = 80 && client = 'mozilla/4.08 (charon; inferno)'

 

While malware authors can change a user-agent string from one variant to another, Dyzap network activity is suspicious enough for an analyst to take a closer look.  All the sessions above have binary payloads, have no referrers and consist only of HTTP POST methods. Such anomalies can be easily detected with the RSA IR hunting pack. For more information on the hunting pack, please refer to this document.

 

An example of a document that drops this Dyzap variant can be found here. Analysis results of one of those binaries can be found here.

 

Microsoft has more information on its threat encyclopedia website.

 

All the IOCs from those sessions were added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

Outcomes