News Stay informed about the latest enterprise technology news and product updates.

Dyre malware returns to rob banks of millions

Financial malware Dyre, in tandem with social engineering, was used in a new campaign to steal millions from financial institutions, according to IBM researchers.

Dyre Wolf, a new version of the Dyre malware campaign, was recently discovered by IBM researchers and has led to the loss of more than $1 million by banks and financial institutions worldwide.

The Dyre Wolf campaign is based on the existing Dyre financial malware but also includes several other sophisticated techniques to target organizations that regularly conduct large wire transfers, according to IBM's research report. The multilayered campaign includes spear phishing attacks to infect victims via the Upatre Trojan, the Dyre malware itself, additional social engineering attacks to obtain banking credentials, and even distributed denial-of-service (DDoS) attacks.

"This is an active campaign -- it's not something that happened a few months ago," John Kuhn, senior threat researcher at IBM, said. "[Dyre Wolf] shows the sophistication and the dedication that they have to achieve their goal -- which is stealing over a million dollars from individual companies."

While the Dyre malware evaded most antimalware tools, Kuhn said the unique social engineering aspect of this Dyre Wolf campaign is particularly dangerous. Like many other successful malwares and malware campaigns, Dyre Wolf is capable of bypassing multifactor authentication. But the way it does so is with human interaction and social engineering.

Following the initial infection, according to IBM, the Dyre Wolf campaign tricks victims into logging into what they think is their corporate banking site -- but the fraudulent website will explain the site is experiencing technical difficulties and then provide a telephone number for support. When victims call the number, the attackers use social engineering to convince them to give up their account credentials or PINs.

"In order to defeat things like two-factor authentication with these banks, [the attackers] instituted a call center of some sort," Kuhn said. "They will answer the phone with that bank name to further the deception."

The attackers then wire the money to themselves, according to IBM. All of the Dyre Wolf group's traffic is encrypted using I2P, making it difficult to trace. But according to another IBM report, the malware appears to be owned and operated by a cybercrime gang based in Eastern Europe.

"When they steal a large sum of money and they transfer it to their offshore account, they need to move it to many other subsequent accounts to hide the money trail," Kuhn said. "Otherwise, the bank can just reverse the transaction at that point. So what they need to do is stall -- what they'll do is distract you."

As a result, the attackers use DDoS attacks to shut down websites to draw the focus away from the wire transfers. "DDoS has become a good distraction for a lot of different attacks," Kuhn said.

Since the falloff in popular Banking Trojans such as Zeus and Shylock last year, lesser-known malware variations like Dyre have gained prominence recently.

Symantec's State of Financial Trojans report for 2014 showed that Infostealer.Dyranges (another name for Dyre) had infected about 90,000 computers, second only to Trojan.Zbot (Zeus) for the year. Appearing in June, Dyranges spiked in infection by August, died down for a few months and then continued to rise in December, according to the report.

A Dell SecureWorks report from December also showed how the Dyre malware had spread quickly to become one of the most prominent banking Trojans in the world, describing how "[e]ach iteration included refinements and new features to make it more powerful and robust."

Dell SecureWorks security researcher, who wish to remain anonymous, said the Dyre malware  is a major threat not just because of its robust features and techniques but because the Dyre malware can lead to other infections of financial malware.

"Once your system is infected by Dyre, it can also download other malware," the researcher said. "We've seen that Dyre was dropping Gozi [malware]. Gozi has the same functionality and can drop Dyre as well."

Gozi is another type of financial malware that has spawned such variations as Snafuli and Vawtrak.

By Christmas last year, Dyre had 260 targets, according to Khandhar. As of today, he said, Dyre has more than 450 targets, including most of the banks and financial institutions around the world.

Next Steps

Find out how the banking Trojan Vawtrak has returned with new, multilayered functionality

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization offer security awareness training to prevent social engineering attacks?
When I joined in as a new employee, I went through the same thing as everyone does. There was a few hours spent on the IT systems that I found mostly obvious as someone who works in software development. But it did cover aspects like this. It discussed why passwords are private and what to do if someone asks you for information they shouldn't.

Training is one thing, and practice is another. It's not long ago since we had a discussion on a case where sharing password for a service with IT personnel was needed. People forget the training, even ones responsible for delivering such training. 

I used to work in a software security company, where these themes were more common but it made me aware that what my current company does in training might not be all that common. 
Yes, we do have mandatory corporate security awareness training. In fact, I just attended a webinar session hosted by our security officer earlier today.

We covered phishing, how to recognize scams, physical security such as access to the building and best practices for taking your laptop with you, things like that. We also briefly discussed some specific cases of data breaches and how they occurred, such as Target and Sony Entertainment.
Yes, we do have IT security training in place. However, as far as "social engineering" attacks are considered, I feel that there is more that people can do themselves instead of relying only on training material. 

Yes, humans are "expressive" beings and they do express their liking, details, interests, experiences on some or the other public forum from where hackers extract the information needed. For offices, majority of people keep their password generic and with specific date related format which makes it easy for changing periodically and without much hassle. Unfortunately, those who are good at guessing can easily crack it and problems can arise. 

People should be careful on conversations over coffee of with friends at workplace for that matter. There is a lot more that lies in terms of security that typical training can not cover. 

We do not offer formal training on security awareness where I work, but the company does include security awareness tips in the daily emails sent out by corporate communications, and there are instructional materials on the intranet. Additionally, when a specific threat has been identified, such as someone receiving a phishing email, the entire company is notified, both via broadcast email and posted flyers.
We have preliminary training on social engineering, and then we also reinforce with a regular newsletter with other topics and variations to consider.
What I've experience so far in my life is that modern technology' is used more for I'll than for good. Data information, names address, codes and all our 'so-called personal and private information is stolen in every second of the twenty-four hour day: by cyber criminals! It also deprives the human race of more employment than it ever makes and further and more importantly it transmits a whole lot of rubbish that the human race would be healthier, less stressed, and a damn sight happier without.
The same sorts of errors, many preventable, and many due to social engineering, continue to plague systems globally.   When will the industry wake up and realize they are in effect the emperor without clothes.  We need industry and academia to take notice.  We need better training methods, and better training in general.
We leave the door open then feign amazement when the bad guys walk in and walk out with our goodies. This is such a common thing these days, we should just invent a pat fill-in-the-blanks statement that we can just trot out day after day, This many data breaches, this many effected, this much lost.

Maybe we could just rank all the data breaches. Biggest loss this month, most money stolen, most people affected.... Might was well - we sure as hell aren't doing a whole lot to prevent them. 
More e-mails for APAC targeting Salesforce users
Social media is a big part of the problem. It's amazing how many people divulge personal info. The thing that bothers me the most are the place you dine at. Sign up and get a free appetizer. Then they want your address and birthday??? Really?? I have yet to hear some say they are getting mail (old snail mail) from any of these. They do get countless e-mails. Can you explain why they need to know when I was born?? If it's to give us a free food item once a year then make it the anniversary date of when we joined their club.