The global cloud computing company Salesforce.com is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers. According to Saleforce.com, there is no evidence that the attack was successful, nor that any of its customers have been impacted.

An Emerging Yet Rapidly Growing Trend

The use of the Dyre Trojan to target enterprise customers of Salesforce.com is part of an emerging trend that has been rapidly growing over the last few years. So-called “banking Trojans” are no longer used only for targeting customers of large financial organizations — they are now increasingly used for targeting enterprises.

Trusteer, an IBM company, recently reported about another known banking Trojan, Citadel, which was used to target several petrochemical companies in the Middle East. The Citadel Trojan was instructed to wait until the user accesses any of the Internet-facing systems of the targeted organizations, such as Web mail, and grab all the information submitted by the user. This information would most likely include the user’s credentials, which would provide the attack with access to these systems.

In the past, banking Trojans like Zeus, Citadel, Shylock and now the Dyre Trojan were specifically designed to steal banking credentials and enable cybercriminals to commit financial fraud. They mainly used techniques like man-in-the-browser (MitB), or keylogging, to grab the user’s financial and personal information and enable fraudulent activities. Over the years, malware developers significantly extended the functionality of these Trojan families, creating new variants and extending their targets. Today these Trojans offer a wide range of powerful functions that allow cybercriminals to steal information from infected computers, gain access to networks to which these machines are connected and even gain full control over these machines.

The development of sophisticated new capabilities turns these Trojans into powerful advanced persistent threat (APT) tools. They are no longer focused solely on stealing personal and financial data from victims: These Trojans are now being used to target various organizations in search of sensitive business data, access to organizational systems and even access to operational systems.

Read the white paper: Proactive response to today’s advanced persistent threats

Massively Distributed Malware

Banking Trojans offer another advantage: They are massively distributed.

The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass-distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social-engineering schemes to infect millions of PC around the world. The use of massively distributed malware allows cybercriminals to take advantage of millions of machines already infected with the Trojans.

In order to point these Trojans at new targets — in this case, enterprise organizations — the cybercriminal only needs to provide these Trojans with a new configuration file. The configuration file received from a command-and-control (C&C) server contains information about the targets as well as other operational details. The configuration file can also contain information about a new C&C the Trojan should start working with. This enables cybercriminals to repurpose existing Trojans on user machines as needed.

IBM Trusteer research found that, on average, one in 500 machines in the world is infected with massively distributed APT malware. Trusteer’s Security Services team reports that they discover massively distributed APT malware in every customer environment they work with. This means that any organization can become a target of these attacks. It is no longer a question of “if” machines will become infected; you must consider the possibility that some of the machines in your organization may already be infected. How will an infected user machine affect your organization?

Protecting Against Dyre and Other Massively Distributed APT Malwares

IBM Trusteer Endpoint Protection solutions, IBM Security Trusteer Apex Advanced Malware Protection and IBM Security Trusteer Rapport provide extensive protection against massively distributed APT malware families, including Dyre, Citadel, Zeus, SpyEye, Shylock and more. These solutions detect, mitigate and remediate massively distributed APT malware infections. Moreover, the IBM Trusteer Apex and Rapport solutions stop future infections and prevent endpoint compromise by applying integrated, multilayered defenses that break the threat life cycle. IBM Trusteer threat research is based on dynamic intelligence feeds from more than 100 million protected endpoints and translated into security updates that are automatically sent to protected endpoints.

Deployments of IBM Trusteer Endpoint Protection solutions are backed by Trusteer’s security services, which help enterprise organizations deal with massively distributed APT attacks and emerging threats.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today