IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations. The campaign, named “The Dyre Wolf” by IBM Security researchers, shows a brazen twist from the once-simple Dyre malware by adding sophisticated social engineering tactics likely to circumvent two-factor authentication. In recent incidents, organizations have lost between $500,000 and $1.5 million to attackers.

While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Since its start in 2014, Dyre has evolved to become simultaneously sophisticated and easy to use, enabling cybercriminals to go for the bigger payout.

In October 2014, the IBM Trusteer team reported a huge increase in the infection rate of the Dyre malware, from 500 instances to nearly 3,500. There seems to be a direct relationship between the development advancements within the Dyre project and this uptick. From Dyre’s very early days, its authors included a mechanism that allows for spreading malware spam through a mass mailing of victims’ contacts lists. This methodology has always proven effective for malware authors, and Dyre takes advantage of it with dramatic results.

Spear Phishing, Malware and DDoS! Oh My!

What do the dire wolf, the wolf in sheep’s clothing and “The Wolf of Wall Street” have in common? Deception and a ferocious appetite to get what they want. The Dyre Wolf campaign is no different. From an initial infection via the Upatre malware through a spear-phishing email to a distributed denial-of-service (DDoS) attack, the criminals carrying out this latest string of attacks are using numerous sophisticated techniques. However, social engineering and the resulting banking credentials theft is the focus of this new campaign and is ultimately what is used to illicitly transfer money from victims’ accounts.

Organized Cybercrime Rings

An experienced and resource-backed cybercrime gang operates Dyre. It was used in wide-stroke attacks for the past year and has now moved into a more brazen stage of attacking corporate accounts via the incorporation of skilled social engineering schemes. What does this mean? As we continue to see, cybercriminals grow in resourcefulness and productivity at alarming rates. They are sharing expertise on a global scale via the Deep Web and launching carefully planned, long-term attacks to attain the highest return on investment.

In this campaign, the attackers are several steps ahead of everyone. Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. While there’s no easy way to know which companies do large wire transfers, it’s a very interesting coincidence. It’s also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware.

Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.

One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials.

As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.

This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees. IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.

The Dyre Wolf: What Can Be Done?

IBM Security recommends organizations follow these security best practices:

  • Train employees on security and how to report suspicious activity.
  • Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
  • Offer security training to employees to help understand threats and measures they can take to protect the organization.
  • Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
  • Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.

More from Malware

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today