Despite the fact that the criminals allegedly behind the creation and distribution of the Dyre banking Trojan are in a Russian jail, a new piece of malware in the wild has enough similarities to Dyre that researchers are wondering whether there’s a connection.
The new malware is called TrickBot and for now, it’s targeting banks in Australia given a number of webinjects found in the code. TrickBot looks like a rewrite of Dyre, researchers at Fidelis Cybersecurity said, cautioning that while there are some similar aspects between the two, such as the loader used by both, there are a number of new features in TrickBot that cast some doubt on the connection.
According to a report published today, Dyre was written in C, while TrickBot was written in C++. TrickBot also utilizes Microsoft CryptoAPI rather than onboard SHA256 or AES routines such as Dyre employed. Finally, the bot interfaces with TaskScheduler rather than running commands directly, Fidelis said.
“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot,” Fidelis researchers wrote. “With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.”
The Dyre gang was arrested in November 2015 in Moscow after years of stealing banking passwords from compromised machines, and in some cases, credentials for Salesforce accounts. The malware was used to steal millions from its victims; it spread via spam and phishing emails enticing victims to open a malicious attachment or follow a link to a malware download.
Fidelis said the malware includes a custom crypter in TrickLoader that was also used in the Cutwail spambot, which Fidelis said was used by the Dyre gang in its spam campaigns.
Fidelis also identified a number comparable features to Dyre in the bot, in particular around its use of built-in hash functions. This version, however, has deployed Microsoft CryptoAPI and COM.
“The bot also uses a very similar but slightly modified version of the old Dyre C2 decryption, this routine is then used for encrypting/decrypting all data respectively,” Fidelis said. “The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot.”
Fidelis said the first bots it saw were built to retrieve system information, but as of last Thursday, a new bot was found that included a browser inject module.
“While the bot is still missing quite a lot from what was previously seen in Dyre it is obvious that there is correlation between the code used in this bot and that from Dyre,” Fidelis said. “As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It’ll be interesting to see if TrickBot can reach or pass its predecessor.”