News Stay informed about the latest enterprise technology news and product updates.

Dyre malware returns to rob banks of millions

Financial malware Dyre, in tandem with social engineering, was used in a new campaign to steal millions from financial institutions, according to IBM researchers.

Dyre Wolf, a new version of the Dyre malware campaign, was recently discovered by IBM researchers and has led to the loss of more than $1 million by banks and financial institutions worldwide.

The Dyre Wolf campaign is based on the existing Dyre financial malware but also includes several other sophisticated techniques to target organizations that regularly conduct large wire transfers, according to IBM's research report. The multilayered campaign includes spear phishing attacks to infect victims via the Upatre Trojan, the Dyre malware itself, additional social engineering attacks to obtain banking credentials, and even distributed denial-of-service (DDoS) attacks.

"This is an active campaign -- it's not something that happened a few months ago," John Kuhn, senior threat researcher at IBM, said. "[Dyre Wolf] shows the sophistication and the dedication that they have to achieve their goal -- which is stealing over a million dollars from individual companies."

While the Dyre malware evaded most antimalware tools, Kuhn said the unique social engineering aspect of this Dyre Wolf campaign is particularly dangerous. Like many other successful malwares and malware campaigns, Dyre Wolf is capable of bypassing multifactor authentication. But the way it does so is with human interaction and social engineering.

Following the initial infection, according to IBM, the Dyre Wolf campaign tricks victims into logging into what they think is their corporate banking site -- but the fraudulent website will explain the site is experiencing technical difficulties and then provide a telephone number for support. When victims call the number, the attackers use social engineering to convince them to give up their account credentials or PINs.

"In order to defeat things like two-factor authentication with these banks, [the attackers] instituted a call center of some sort," Kuhn said. "They will answer the phone with that bank name to further the deception."

The attackers then wire the money to themselves, according to IBM. All of the Dyre Wolf group's traffic is encrypted using I2P, making it difficult to trace. But according to another IBM report, the malware appears to be owned and operated by a cybercrime gang based in Eastern Europe.

"When they steal a large sum of money and they transfer it to their offshore account, they need to move it to many other subsequent accounts to hide the money trail," Kuhn said. "Otherwise, the bank can just reverse the transaction at that point. So what they need to do is stall -- what they'll do is distract you."

As a result, the attackers use DDoS attacks to shut down websites to draw the focus away from the wire transfers. "DDoS has become a good distraction for a lot of different attacks," Kuhn said.

Since the falloff in popular Banking Trojans such as Zeus and Shylock last year, lesser-known malware variations like Dyre have gained prominence recently.

Symantec's State of Financial Trojans report for 2014 showed that Infostealer.Dyranges (another name for Dyre) had infected about 90,000 computers, second only to Trojan.Zbot (Zeus) for the year. Appearing in June, Dyranges spiked in infection by August, died down for a few months and then continued to rise in December, according to the report.

A Dell SecureWorks report from December also showed how the Dyre malware had spread quickly to become one of the most prominent banking Trojans in the world, describing how "[e]ach iteration included refinements and new features to make it more powerful and robust."

Dell SecureWorks security researcher, who wish to remain anonymous, said the Dyre malware  is a major threat not just because of its robust features and techniques but because the Dyre malware can lead to other infections of financial malware.

"Once your system is infected by Dyre, it can also download other malware," the researcher said. "We've seen that Dyre was dropping Gozi [malware]. Gozi has the same functionality and can drop Dyre as well."

Gozi is another type of financial malware that has spawned such variations as Snafuli and Vawtrak.

By Christmas last year, Dyre had 260 targets, according to Khandhar. As of today, he said, Dyre has more than 450 targets, including most of the banks and financial institutions around the world.

Next Steps

Find out how the banking Trojan Vawtrak has returned with new, multilayered functionality

Dig Deeper on Malware, virus, Trojan and spyware protection and removal