A new version of Dyre malware, which recently reemerged to plague financial institutions in the form of the Dyre...
Wolf campaign, is now employing anti-sandbox techniques to avoid security professionals and pose a more insidious threat to financial enterprises.
New research from cloud-based security firm Seculert revealed that Dyre is capable of bypassing sandboxes by checking the system for processor cores. If only one core is found, Dyre terminates instantly.
"Sandboxes, in order to save processing power, will only use one core," Seculert CTO Aviv Raff told SearchSecurity.com, adding that most modern systems use two or four cores. "This is a major difference between the virtualized environment and the real environment."
Raff and his team noticed that the Dyre strain only utilized one sandbox-evading method. Since this was not usually the case, Raff decided to analyze further.
"We first began by testing a number of non-commercial, publicly available sandboxes," Raff wrote in the Seculert blog. "When four in a row failed to successfully analyze the malware, we knew we were on to something."
The team tested commercially available sandboxes as well, which also failed. According to Raff, it is likely the cybercriminals did similar sandbox research before choosing that particular method as their only anti-sandboxing move.
This version of Dyre was also adapted to switch user agents, a technique not seen before for this particular malware, according to the Seculert report. Changing user agents lets Dyre evade signature-based systems.
Last month, in a sophisticated malware campaign known as Dyre Wolf, the Dyre was paired with an Upatre dropper and social engineering techniques via phone to steal millions of dollars from banks. The cybercriminals behind Dyre Wolf were able to bypass multifactor authentication by masquerading as an official call center, tricking users into giving up their banking account credentials. Now, it seems, criminals are infecting victims with Dyre by bypassing the sandbox.
"The Dyre malware's success at evading sandboxes is just another example of why sandboxing, as a standalone, is an incomplete security approach," Raff wrote. "Rather the ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time."
Raff also said that banks and financial services companies are no longer the only victims of the Dyre malware. "This group is not targeting just financial institutions," he said. "They're targeting everyone with data that they can monetize."
Find out how the banking Trojan Vawtrak has returned with new, multilayered functionality