Dyre Banking Malware A Million-Dollar Threat

IBM warns banks and corporate officers of a change to the dangerous Dyre banking Trojan that involves the phone scam used to bypass fraud detection, and a DDoS attack that distracts security teams away from big-money transfers.

The Dyre banking Trojan‘s ascension to the top of the financial malware food chain took a massive leap forward in the first three months of 2015. Already spreading a damaging piece of malware that targets corporate bank accounts, the Eastern European keepers of Dyre recently upped their social engineering game with the addition of a call center-type of operation that pilfers passwords and two-factor authentication PIN codes in order to beat fraud detection systems.

IBM researchers on Thursday disclosed this latest facet to Dyre, and said they’ve seen fraudulent big-money transfers as a result of the malware’s recent changes to the tune of more than $1 million in losses.

“They made a real big change in philosophy and technique during the first quarter,” said John Kuhn senior threat researcher with IBM Managed Security Services.

Not only is the advanced social engineering noteworthy, but within seconds of moving the money out of a high-value account, IBM researchers say the Dyre gang follows that up with a DDoS attack against the targeted bank or organization in order to shift attention and resources away from the theft. Infection rates have climbed from a few hundred at the end of last year to into the thousands, Kuhn said.

“It’s new and very brazen to have a call center to social engineer passwords out of people,” Kuhn said, adding that U.S.-based victims have told IBM that the scammers speak perfect English and there isn’t a tip-off that the call could be fraudulent.

The DDoS attack, meanwhile, is used only against select targets where big-money transfers are involved.

“To buy some time to move the money out, they launch a big reflection-based DDoS attack against the organization,” Kuhn said. “They want to pull resources away [from the fraud], or force resource exhaustion so that the victims can’t log back into the bank.”

Dyre has been in circulation for close to a year and has already caused trouble in a number of arenas beyond the theft of banking credentials. Hackers have used to target Salesforce.com credentials and it was also spotted exploiting the same Windows vulnerability used in an APT attack conducted by the Sandworm group, used to spread Black Energy malware against critical infrastructure.

Dyre infections aren’t much different from other banking malware such as Zeus and Citadel. A spear phishing campaign targets an individual or group within an organization with a malicious attachment or link. If the target falls for the phishing message and executes the attack, the first stage of the infection involves the Upatre dropper with opens a backdoor connection to the attacker’s machine and downloads the Dyre Trojan. Should the victim have access to the corporate bank account—Dyre comes pre-loaded with web injects for hundreds of banks—the malware activates and presents the victim with a message that there is a problem with the account and they’re to call a toll-free number.

The attackers used convincing social engineering tactics to learn information from the victim that will help the criminals sidestep and fraud protection measures the bank would have in place. If successful, the hackers then conduct wire transfers to offshore accounts, and if the target is valuable enough, DDoS the victim.

With millions already stolen from corporate accounts, the Dyre gang is intent on maintaining the viability of its operations, IBM said.

“We monitor Upatre samples, 10-20 or more a day coming in, and the attackers are constantly rewriting it and changing it to avoid detection,” Kuhn said. “They’ve got a heck of an engineering team, recoding things. It’s important to do that in order to get Upatre through perimeter defenses.”

Kuhn said IBM has seen several code revisions since the start of the year.

“Complete code rewrites in some instances,” Kuhn said. “We’ve reversed the code and sometimes it’s doesn’t look the same. They’re constantly changing names, the hash, the way it’s compressed, even changing the icon on the attachment. Victims are getting a .scr executable, but the icon is there tricking them into thinking it’s a PDF file.”

IBM’s data shows that Dyre is the most prolific banking malware in circulation, ahead of Neverquest, Bugat, Zeus and a couple of Brazilian Trojans. Global infection rates continue to climb with most of the victims in North America, about double the number in Europe.

“The phone call and the DDoS attack are significant changes,” Kuhn said. “I don’t know of another campaign or Trojan that targets corporations and not individuals. They are after big money and are successful doing it.”

Suggested articles


  • ian on

    lmfao..ive told several people how to stop and qvoid this...do not ever do online banking...as an engineer..i know many ways to scam people online..so stop using a computer to look at your money..i never do or will.. .tsk tsk..
    • Jon on

      I'm embarrassed to call you a fellow engineer if that is your solution.
  • Peter on

    This is really a continuous corporate education issue. Most have been happy with we have a corporate policy on usage of our computers and there is bad stuff out there, oh and don't download bad stuff. Last you ever hear of security from anyone in IT. People it needs to be a regular program of reinforcement on IT security. 90% of the problems is "It won't happen to us" so they do the minimum to maximize profits. Good luck with that strategy
  • blah on

    Ya...not a good statement. Unfortunately you cannot get away from online banking but there are ways to help. Use a bootable OS from a CD and then do your banking!
  • Javari on

    Most people are broke because the banks stole all of their money so consider it Robin Hood.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.