Dyre Banking Trojan Used in APT-Style Attacks Against Enterprises

September 15, 2014
| |
3 min read

The global cloud computing company Salesforce.com is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers. According to Saleforce.com, there is no evidence that the attack was successful, nor that any of its customers have been impacted.

An Emerging Yet Rapidly Growing Trend

The use of the Dyre Trojan to target enterprise customers of Salesforce.com is part of an emerging trend that has been rapidly growing over the last few years. So-called “banking Trojans” are no longer used only for targeting customers of large financial organizations — they are now increasingly used for targeting enterprises.

Trusteer, an IBM company, recently reported about another known banking Trojan, Citadel, which was used to target several petrochemical companies in the Middle East. The Citadel Trojan was instructed to wait until the user accesses any of the Internet-facing systems of the targeted organizations, such as Web mail, and grab all the information submitted by the user. This information would most likely include the user’s credentials, which would provide the attack with access to these systems.

In the past, banking Trojans like Zeus, Citadel, Shylock and now the Dyre Trojan were specifically designed to steal banking credentials and enable cybercriminals to commit financial fraud. They mainly used techniques like man-in-the-browser (MitB), or keylogging, to grab the user’s financial and personal information and enable fraudulent activities. Over the years, malware developers significantly extended the functionality of these Trojan families, creating new variants and extending their targets. Today these Trojans offer a wide range of powerful functions that allow cybercriminals to steal information from infected computers, gain access to networks to which these machines are connected and even gain full control over these machines.

The development of sophisticated new capabilities turns these Trojans into powerful advanced persistent threat (APT) tools. They are no longer focused solely on stealing personal and financial data from victims: These Trojans are now being used to target various organizations in search of sensitive business data, access to organizational systems and even access to operational systems.

Read the white paper: Proactive response to today’s advanced persistent threats

Massively Distributed Malware

Banking Trojans offer another advantage: They are massively distributed.

The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass-distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social-engineering schemes to infect millions of PC around the world. The use of massively distributed malware allows cybercriminals to take advantage of millions of machines already infected with the Trojans.

In order to point these Trojans at new targets — in this case, enterprise organizations — the cybercriminal only needs to provide these Trojans with a new configuration file. The configuration file received from a command-and-control (C&C) server contains information about the targets as well as other operational details. The configuration file can also contain information about a new C&C the Trojan should start working with. This enables cybercriminals to repurpose existing Trojans on user machines as needed.

IBM Trusteer research found that, on average, one in 500 machines in the world is infected with massively distributed APT malware. Trusteer’s Security Services team reports that they discover massively distributed APT malware in every customer environment they work with. This means that any organization can become a target of these attacks. It is no longer a question of “if” machines will become infected; you must consider the possibility that some of the machines in your organization may already be infected. How will an infected user machine affect your organization?

Protecting Against Dyre and Other Massively Distributed APT Malwares

IBM Trusteer Endpoint Protection solutions, IBM Security Trusteer Apex Advanced Malware Protection and IBM Security Trusteer Rapport provide extensive protection against massively distributed APT malware families, including Dyre, Citadel, Zeus, SpyEye, Shylock and more. These solutions detect, mitigate and remediate massively distributed APT malware infections. Moreover, the IBM Trusteer Apex and Rapport solutions stop future infections and prevent endpoint compromise by applying integrated, multilayered defenses that break the threat life cycle. IBM Trusteer threat research is based on dynamic intelligence feeds from more than 100 million protected endpoints and translated into security updates that are automatically sent to protected endpoints.

Deployments of IBM Trusteer Endpoint Protection solutions are backed by Trusteer’s security services, which help enterprise organizations deal with massively distributed APT attacks and emerging threats.

Dana Tamir
Director of Enterprise Security at Trusteer, an IBM Company

Dana Tamir is Director of Enterprise Security at Trusteer, an IBM Company. In her role she leads activities related to enterprise advanced threat protection ...
read more