Dyre Banking Malware A Million-Dollar Threat

IBM warns banks and corporate officers of a change to the dangerous Dyre banking Trojan that involves the phone scam used to bypass fraud detection, and a DDoS attack that distracts security teams away from big-money transfers.

The Dyre banking Trojan‘s ascension to the top of the financial malware food chain took a massive leap forward in the first three months of 2015. Already spreading a damaging piece of malware that targets corporate bank accounts, the Eastern European keepers of Dyre recently upped their social engineering game with the addition of a call center-type of operation that pilfers passwords and two-factor authentication PIN codes in order to beat fraud detection systems.

IBM researchers on Thursday disclosed this latest facet to Dyre, and said they’ve seen fraudulent big-money transfers as a result of the malware’s recent changes to the tune of more than $1 million in losses.

“They made a real big change in philosophy and technique during the first quarter,” said John Kuhn senior threat researcher with IBM Managed Security Services.

Not only is the advanced social engineering noteworthy, but within seconds of moving the money out of a high-value account, IBM researchers say the Dyre gang follows that up with a DDoS attack against the targeted bank or organization in order to shift attention and resources away from the theft. Infection rates have climbed from a few hundred at the end of last year to into the thousands, Kuhn said.

“It’s new and very brazen to have a call center to social engineer passwords out of people,” Kuhn said, adding that U.S.-based victims have told IBM that the scammers speak perfect English and there isn’t a tip-off that the call could be fraudulent.

The DDoS attack, meanwhile, is used only against select targets where big-money transfers are involved.

“To buy some time to move the money out, they launch a big reflection-based DDoS attack against the organization,” Kuhn said. “They want to pull resources away [from the fraud], or force resource exhaustion so that the victims can’t log back into the bank.”

Dyre has been in circulation for close to a year and has already caused trouble in a number of arenas beyond the theft of banking credentials. Hackers have used to target Salesforce.com credentials and it was also spotted exploiting the same Windows vulnerability used in an APT attack conducted by the Sandworm group, used to spread Black Energy malware against critical infrastructure.

Dyre infections aren’t much different from other banking malware such as Zeus and Citadel. A spear phishing campaign targets an individual or group within an organization with a malicious attachment or link. If the target falls for the phishing message and executes the attack, the first stage of the infection involves the Upatre dropper with opens a backdoor connection to the attacker’s machine and downloads the Dyre Trojan. Should the victim have access to the corporate bank account—Dyre comes pre-loaded with web injects for hundreds of banks—the malware activates and presents the victim with a message that there is a problem with the account and they’re to call a toll-free number.

The attackers used convincing social engineering tactics to learn information from the victim that will help the criminals sidestep and fraud protection measures the bank would have in place. If successful, the hackers then conduct wire transfers to offshore accounts, and if the target is valuable enough, DDoS the victim.

With millions already stolen from corporate accounts, the Dyre gang is intent on maintaining the viability of its operations, IBM said.

“We monitor Upatre samples, 10-20 or more a day coming in, and the attackers are constantly rewriting it and changing it to avoid detection,” Kuhn said. “They’ve got a heck of an engineering team, recoding things. It’s important to do that in order to get Upatre through perimeter defenses.”

Kuhn said IBM has seen several code revisions since the start of the year.

“Complete code rewrites in some instances,” Kuhn said. “We’ve reversed the code and sometimes it’s doesn’t look the same. They’re constantly changing names, the hash, the way it’s compressed, even changing the icon on the attachment. Victims are getting a .scr executable, but the icon is there tricking them into thinking it’s a PDF file.”

IBM’s data shows that Dyre is the most prolific banking malware in circulation, ahead of Neverquest, Bugat, Zeus and a couple of Brazilian Trojans. Global infection rates continue to climb with most of the victims in North America, about double the number in Europe.

“The phone call and the DDoS attack are significant changes,” Kuhn said. “I don’t know of another campaign or Trojan that targets corporations and not individuals. They are after big money and are successful doing it.”

Suggested articles