Security researchers issue Dyre warnings as banking Trojan spikes again

Trojan Horse
Trojan Horse

An estimated 19,000 emails infected with Dyre have been sent in three days from spam servers around the world, encouraging recipients to download an archive containing a malicious .exe file. Bitdefender has warned that the file is a downloader that grabs the Dyreza banker Trojan, also known as Dyre, and runs it on victims' systems.

The attacker's opening gambit is an email purportedly from a tax consultant asking the recipient to download a file and provide information to complete a financial transaction. This is followed up the next day by a similar email with attachments posing as financial documentation – the email asks the recipient to verify their authenticity.

A third email warns of dire penalties to be imposed on the recipient's company if they don't respond.

Bitdefender issued a similar warning in February when there was another spike in Dyre infections. 

Following the high profile takedowns of the Gameover Zeus, Ramnit and Shylock operations, Dyre infections have surged and attacks become more aggressive, according to Symantec – adding that it is now rated the most dangerous financial Trojan.

“First seen in 2014, Dyre is very similar to the infamous Zeus,” states Catalin Cosoi, chief security strategist at Bitdefender. “It installs itself on the user's computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers inject malicious JavaScript code, allowing them to steal credentials and further manipulate accounts, all completely covertly.”

The attackers in the most recent wave of activity have targeted customers of banks in the UK, America and Germany.

“If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page. The server will then respond with the compressed version of the web page with malicious code added to it,” she said.

Dyre is configured to spoof pages from more than 1000 banks and other companies. “This altered web page is then displayed on the victim's web browser. Its appearance remains exactly the same, but the added code harvests the victim's login credentials,” Cosoi said.

Dyre has been around for a while, with several security firms highlighting its activities.

Symantec published a report on 23 June which stated that Dyre is very sophisticated, able to hijack all three major web browsers to intercept banking credentials. In addition, Dyre can download other software including botnet malware.

Despite having been around for a while, Dyre continues to be successful because of users' propensity to click without thinking. The 2015 edition of Proofpoint's annual cyber-crime report, the Human Factor, found that one in 25 recipients of a Dyre email will fall victim to it by clicking on a link.  

“The use of a linked URL – which enables attackers to rotate payloads and delay linking to bypass legacy secure email gateways – reiterates the need for organisations to invest in modern targeted attack protection and threat response systems, which can continually monitor such email-embedded URLs for clicks, even after the emails are delivered to users' inboxes,” said Kevin Epstein, VP of advanced security and governance at Proofpoint.

Amit Jasujan, senior VP of enterprise security products at Symantec told SCMagazineUK.com that Dyre is able to evade detection because the attackers can modify the malware to change its signature. “The interesting thing is, if you trace malware back to its origins, it comes down to a dozen or two dozen real genetic signatures – it's all evolved from a few things that have morphed over time,” he said. “It's not that straightforward to keep up with, but that's part of what we do in our research labs – we continue to study and watch these things evolve.”