Dyzap is an information stealer that has been around for a while. The malware has the ability to steal usernames and passwords of e-mail, banking and social media accounts. A new variant has been recently spreading through phishing messages. In this blog post we will discuss how to detect it using RSA NetWitness.
Once the malware infects a victim machine, it starts sending data to its server via an HTTP POST request:
Similar network activity originates from different machines infected with Dyzap:
The same user-agent string is used across all the sessions. On RSA NetWitness you can develop an app rule to detect Dyzap traffic:
service = 80 && client = 'mozilla/4.08 (charon; inferno)'
While malware authors can change a user-agent string from one variant to another, Dyzap network activity is suspicious enough for an analyst to take a closer look. All the sessions above have binary payloads, have no referrers and consist only of HTTP POST methods. Such anomalies can be easily detected with the RSA IR hunting pack. For more information on the hunting pack, please refer to this document.
Microsoft has more information on its threat encyclopedia website.
All the IOCs from those sessions were added to the following feeds on Live:
- RSA FirstWatch Command and Control Domains
- RSA FirstWatch Command and Control IPs