The global cloud computing company Salesforce.com is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers. According to Saleforce.com, there is no evidence that the attack was successful, nor that any of its customers have been impacted.

An Emerging Yet Rapidly Growing Trend

The use of the Dyre Trojan to target enterprise customers of Salesforce.com is part of an emerging trend that has been rapidly growing over the last few years. So-called “banking Trojans” are no longer used only for targeting customers of large financial organizations — they are now increasingly used for targeting enterprises.

Trusteer, an IBM company, recently reported about another known banking Trojan, Citadel, which was used to target several petrochemical companies in the Middle East. The Citadel Trojan was instructed to wait until the user accesses any of the Internet-facing systems of the targeted organizations, such as Web mail, and grab all the information submitted by the user. This information would most likely include the user’s credentials, which would provide the attack with access to these systems.

In the past, banking Trojans like Zeus, Citadel, Shylock and now the Dyre Trojan were specifically designed to steal banking credentials and enable cybercriminals to commit financial fraud. They mainly used techniques like man-in-the-browser (MitB), or keylogging, to grab the user’s financial and personal information and enable fraudulent activities. Over the years, malware developers significantly extended the functionality of these Trojan families, creating new variants and extending their targets. Today these Trojans offer a wide range of powerful functions that allow cybercriminals to steal information from infected computers, gain access to networks to which these machines are connected and even gain full control over these machines.

The development of sophisticated new capabilities turns these Trojans into powerful advanced persistent threat (APT) tools. They are no longer focused solely on stealing personal and financial data from victims: These Trojans are now being used to target various organizations in search of sensitive business data, access to organizational systems and even access to operational systems.

Read the white paper: Proactive response to today’s advanced persistent threats

Massively Distributed Malware

Banking Trojans offer another advantage: They are massively distributed.

The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass-distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social-engineering schemes to infect millions of PC around the world. The use of massively distributed malware allows cybercriminals to take advantage of millions of machines already infected with the Trojans.

In order to point these Trojans at new targets — in this case, enterprise organizations — the cybercriminal only needs to provide these Trojans with a new configuration file. The configuration file received from a command-and-control (C&C) server contains information about the targets as well as other operational details. The configuration file can also contain information about a new C&C the Trojan should start working with. This enables cybercriminals to repurpose existing Trojans on user machines as needed.

IBM Trusteer research found that, on average, one in 500 machines in the world is infected with massively distributed APT malware. Trusteer’s Security Services team reports that they discover massively distributed APT malware in every customer environment they work with. This means that any organization can become a target of these attacks. It is no longer a question of “if” machines will become infected; you must consider the possibility that some of the machines in your organization may already be infected. How will an infected user machine affect your organization?

Protecting Against Dyre and Other Massively Distributed APT Malwares

IBM Trusteer Endpoint Protection solutions, IBM Security Trusteer Apex Advanced Malware Protection and IBM Security Trusteer Rapport provide extensive protection against massively distributed APT malware families, including Dyre, Citadel, Zeus, SpyEye, Shylock and more. These solutions detect, mitigate and remediate massively distributed APT malware infections. Moreover, the IBM Trusteer Apex and Rapport solutions stop future infections and prevent endpoint compromise by applying integrated, multilayered defenses that break the threat life cycle. IBM Trusteer threat research is based on dynamic intelligence feeds from more than 100 million protected endpoints and translated into security updates that are automatically sent to protected endpoints.

Deployments of IBM Trusteer Endpoint Protection solutions are backed by Trusteer’s security services, which help enterprise organizations deal with massively distributed APT attacks and emerging threats.

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today