The global cloud computing company is warning its customers that the Dyre Trojan might be used to target their login credentials. The Dyre banking Trojan, which typically targets customers of large financial institutions, was recently used in a large-scale, credential-phishing campaign targeting Bank of America, Citigroup, Royal Bank of Scotland and JPMorgan Chase customers. According to, there is no evidence that the attack was successful, nor that any of its customers have been impacted.

An Emerging Yet Rapidly Growing Trend

The use of the Dyre Trojan to target enterprise customers of is part of an emerging trend that has been rapidly growing over the last few years. So-called “banking Trojans” are no longer used only for targeting customers of large financial organizations — they are now increasingly used for targeting enterprises.

Trusteer, an IBM company, recently reported about another known banking Trojan, Citadel, which was used to target several petrochemical companies in the Middle East. The Citadel Trojan was instructed to wait until the user accesses any of the Internet-facing systems of the targeted organizations, such as Web mail, and grab all the information submitted by the user. This information would most likely include the user’s credentials, which would provide the attack with access to these systems.

In the past, banking Trojans like Zeus, Citadel, Shylock and now the Dyre Trojan were specifically designed to steal banking credentials and enable cybercriminals to commit financial fraud. They mainly used techniques like man-in-the-browser (MitB), or keylogging, to grab the user’s financial and personal information and enable fraudulent activities. Over the years, malware developers significantly extended the functionality of these Trojan families, creating new variants and extending their targets. Today these Trojans offer a wide range of powerful functions that allow cybercriminals to steal information from infected computers, gain access to networks to which these machines are connected and even gain full control over these machines.

The development of sophisticated new capabilities turns these Trojans into powerful advanced persistent threat (APT) tools. They are no longer focused solely on stealing personal and financial data from victims: These Trojans are now being used to target various organizations in search of sensitive business data, access to organizational systems and even access to operational systems.

Read the white paper: Proactive response to today’s advanced persistent threats

Massively Distributed Malware

Banking Trojans offer another advantage: They are massively distributed.

The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass-distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social-engineering schemes to infect millions of PC around the world. The use of massively distributed malware allows cybercriminals to take advantage of millions of machines already infected with the Trojans.

In order to point these Trojans at new targets — in this case, enterprise organizations — the cybercriminal only needs to provide these Trojans with a new configuration file. The configuration file received from a command-and-control (C&C) server contains information about the targets as well as other operational details. The configuration file can also contain information about a new C&C the Trojan should start working with. This enables cybercriminals to repurpose existing Trojans on user machines as needed.

IBM Trusteer research found that, on average, one in 500 machines in the world is infected with massively distributed APT malware. Trusteer’s Security Services team reports that they discover massively distributed APT malware in every customer environment they work with. This means that any organization can become a target of these attacks. It is no longer a question of “if” machines will become infected; you must consider the possibility that some of the machines in your organization may already be infected. How will an infected user machine affect your organization?

Protecting Against Dyre and Other Massively Distributed APT Malwares

IBM Trusteer Endpoint Protection solutions, IBM Security Trusteer Apex Advanced Malware Protection and IBM Security Trusteer Rapport provide extensive protection against massively distributed APT malware families, including Dyre, Citadel, Zeus, SpyEye, Shylock and more. These solutions detect, mitigate and remediate massively distributed APT malware infections. Moreover, the IBM Trusteer Apex and Rapport solutions stop future infections and prevent endpoint compromise by applying integrated, multilayered defenses that break the threat life cycle. IBM Trusteer threat research is based on dynamic intelligence feeds from more than 100 million protected endpoints and translated into security updates that are automatically sent to protected endpoints.

Deployments of IBM Trusteer Endpoint Protection solutions are backed by Trusteer’s security services, which help enterprise organizations deal with massively distributed APT attacks and emerging threats.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…