Some of the cyber-criminals who were behind the defunct Dyre banking Trojan and managed to avoid arrest by Russian authorities may have rewritten the old Dyre code to create a new banking Trojan called TrickBot.
Fidelis threat researcher Jason Reaves reported in his Threat Geek security blog that there are enough similarities between the Dyre and TrickBot code and execution to make a strong case that some of the bad actors behind Dyre may have reemerged with TrickBot.
“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot,” Reaves said.
Reaves noted that while there are some differences between the two Trojans enough similarities remain to link the two. TrickBot was first spotted in September and has been targeting Australian banks.
The first clue is that TrickBot's loader, called TrickLoader, features several parallels to the one used by Dyre. However, Reaves went on to say that the relationship can truly be seen after TrickBot is properly decoded.
“The first thing we noticed is the custom crypter which after careful analysis was found to be used for both TrickLoader along with Vawtrak, Pushdo and Cutwail malware. This is interesting because Cutwail spambot was a favorite of old Dyre crew for use in their spam campaigns,” Reaves said.
The bot itself also has a number of similarities, but it is also has obviously been rewritten whereas the Dyre code used AES and SHA256 for encryption TrickBot uses Microsoft CryptoAPI and COM, Reaves said.
The death of Dyre caught the security industry by surprise. The malware essentially fell off the face of the Earth in November 2015 with no signal as to why and it was not until several months later when Russian law enforcement announced it had arrested most of the gang running Dyre that the reason became known.