New Configuration of the Dyre Trojan Coming After 17 Spanish Banks
As Europeans head to the beaches of Spain this summer, the cybercriminals behind the highly successful Dyre malware are not taking a break. In fact, they are turning up the heat and have set their sights on 17 Spanish banks, and several European banks’ Spain-based subsidiaries. IBM Security X-Force researchers were able to analyze a new Dyre Trojan configuration file that followed the release of a new Dyre build. This is the first configuration that targets such a large number of Spanish banks. Previous versions only included three or five Spain-based banks on the victim roster, likely as a way to test the waters before moving to a more aggressive phase.
The analysis reveals that Dyre’s developers have expanded the capabilities and reach of the malware by updating its webinjections to match the new banks they are targeting in Spain. On top of its Spanish targets the Dyre gang sees opportunities in other Spanish speaking countries beyond Spain, attacking in Chile, Colombia and Venezuela. This is hardly surprising given that Spanish is the second most spoken language in the world.
Dyre is not new in Europe. It already targets banks all over the European continent, unsurprisingly leaving out only Russia and the former Soviet Union region. Within Europe, Dyre infection rates in Spain are ranked third after the UK and France.
In numbers, Spanish companies recorded losses of EUR 14 billion from cybercrime in 2014. The recent cybercrime news from Spain features the arrest of a gang that managed to amass EUR 2 million in fraudulent premium number phone calls from stolen phones and SIM cards.
IBM has appropriately shared the new Dyre information to help prepare and protect targeted banks against the heightened security risk.
Dyre, which was named after a string calling “I am Dyreza” found inside its code, started out as a seemingly simple RAT (Remote Access Trojan) project in mid-2014. While it used to only sniff out encrypted credentials, it has since rapidly and aggressively evolved, shape-shifting in both its technical makeup and crime methodologies. Nowadays, Dyre is a full-blown banking Trojan that is keeping security professionals guessing, and its victims in constant remediation mode.
Dyre is one of the most advanced malware codes active in the wild nowadays because of its feature-rich capabilities and its constant updates, which are designed to evade detection by anti-virus and static security mechanisms. And while Dyre in itself is rather interesting from a technical standpoint, the group behind it is the more important study for today’s counter-cybercrime professionals.
The cybercrime gang behind Dyre is certainly not composed of amateurs. From its infrastructure scheme, to the manpower, to the knowledge of banking websites and authentication schemes, this group is resource-backed, experienced and savvy.
Dyre’s team is a closed, “private gang.” This denomination is given to cybercrime groups who own crimeware that they develop and keep to themselves. They do not exchange information in underground fraud boards, share knowledge, or ask questions. They do not sell the malware, and they’re extremely careful about adding new members to their gang.
Dyre is linked with a number of well-known malware operating groups. The gang has ties to the Upatre downloader, the Cutwail spam botnet, the RIG exploit kit, and has already shared communication servers with the Feodo Trojan (a Russia-made Bugat offspring).
Dyre’s Targeted Cybercrime Attacks
From its early beginnings, Dyre’s gang was not in the game for the low-hanging fruit typically pursued by smaller, run-of-the-mill cyber gangs. This team came in aiming high. And by high, I mean corporate money, at least half a million dollars at a time.
Information about the initial broad-stroke Dyre operation first became public in mid-June 2014 by PhishMe labs. Keep in mind that at the point that malware is uncovered, it has usually already been in the wild for a few months. It was no more than three months later that IBM Security started reporting about Dyre targeting the Salesforce.com accounts of major American banks and harvesting their customer information.
At the time, many thought that Dyre was after data to monetize for business espionage purposes, but by the time the Dyre Wolf campaign was discovered by IBM in early 2015, things became a lot clearer: targeted wire fraud attacks.
Targeted fraud represents a cross between APT attacks and financial fraud attacks. The criminals begin by obtaining intelligence about the organization they are going to target, they invest time and attention to breaching its systems, and set the ground for fraud before they hit with a very large illicit wire transfer.
With the new Spain-specific configuration file, Spanish banks and their corporate clients are at a higher risk to suffer targeted wire fraud attacks.
How Do These Attacks Work?
To launch these targeted wire fraud attacks, Dyre deploys a “SWAT team” within its ranks. The special team carefully maneuvers fraud operations with supporting fraudulent telephone calls and skilled social engineering in the precise language and accent the defrauded entity would expect from their bank. The fraud can be followed up by a DDoS attack to make sure the company is unable to log back into the account, or is busy trying to figure out how to fend it off.
Dyre, unlike most advanced malware of similar grade, is operated by what appears to be a very organized group. The overall botnet is divided into sections, campaigns are marked by the date they are launched, and regions are split into a number of different malware builds.
A small number of “Workers” appear to be dedicated to each zone in order to maximize profits from each captured account.
The “workers” that operate daily to perpetrate Dyre fraud are on shift Monday through Friday, from morning to evening according to U.S. time zones. Weekends are often a downtime.
On top of day to day wire fraud attacks, Dyre evidently also has a criminal “SWAT team” which is dedicated to big time fraud: corporate bank accounts and extremely high value transfers. We are talking about one-time transfers that can start at $500,000, but can go up to $1.5 million at one time. Because these large one-time fraud attacks occur amidst other smaller campaigns, require highly specialized capabilities and real-time special attention, we believe there is a clear separation of duties within attack teams.
This Dyre “SWAT team” is likely the faction that’s behind Dyre Wolf-type attacks. In these specific and targeted heists, Dyre goes after the bank’s largest accounts, defrauding companies that move big money for goods or services. Think pharmaceuticals, oil & gas, manufacturers – organizations that do business overseas as part of their routine and normally pay large sums in SWIFT transfers to countries like China.
This is definitely not what we see with commercial malware like Zeus, in every variation of it, nor with shared code like Bugat and Dridex, or even advanced leaked codes like Tinba and Neverquest.
Location-wise, the Dyre teams are likely located in the Ukraine and Russia, based on the working hours pattern and time zone (UTC+2, UTC+3) and on the fact that, as reported by Symantec, over 80 percent of all Dyre servers come through Russian and Ukrainian IP addresses.
What Makes Dyre Stand Out?
Although Dyre started out simpler in terms of malware capabilities, it is now a highly potent information stealer and browser injection tool. IBM Security X-Force researchers see this malware project evolving incessantly. The executable file is constantly upgraded in small bits, sometimes literally every week. Configurations are adapted to the region attacked, mostly EU and U.S.
Dyre’s developers are keeping on top of the project with encryption and evasion layers, anti-research features, new anti-sandbox tricks, all of which are developed and upgraded in a quest to keep Dyre out of sight. Ultimately, the purpose is to make sure this malware continues to produce the massive amounts of stolen cash that it harvests for its operators.
Dyre’s Real Time Injection Scheme
Dyre’s power lies in its ability to manipulate the way the Internet browser works, on the fly and very selectively according to the bank it is targeting.
In its earlier days, Dyre’s operators took on the painstaking task of sending victims to fake web pages that they prepared in advance. To do that, they literally replicated the banks’ login and post login web pages, which resembled what pharming attacks try to do. They kept the SSL connection alive with the bank, only to make it appear legitimate to the user and to security tools the banks may have running, showing that the actual communication is still happening securely.
That method must have been very time-intensive because it has since changed into a browser injection implementation. What sets Dyre apart is the fact that the configuration of these injections is not saved locally on the infected PC, and then used as needed by the malware. Rather, Dyre injections are dictated by its webinject server, in real time, dynamically, and in a selective manner according to each bank URL accessed.
This method enables Dyre to manipulate the page displayed to the victim in a more controlled manner, and also keeps all its configuration schemes as concealed as possible from the prying eyes of security professionals.
Recent findings published about Dyre’s tactics came from researcher Bryan Campbell, lead threat intelligence analyst at the Fujitsu SOC, who blogged about the malware using exploited routers to freeload its communications with the botnet. In an online chat I had with Campbell, we theorized why Dyre would do this. The answer seems simple: Dyre has found a simple way to take over these routers and run through them as an added layer of traffic obfuscation for its already intricate communications schemes.
According to its configuration, Dyre operates a dedicated server for the webinjection traffic, and separate ones for the C&C and data exfiltration. To keep its loot confidential and stay away from blacklists, Dyre uses I2P to anonymize its connections. As fallback mechanism, Dyre relies on a Domain Generation Algorithm (DGA) under the hood, to make sure its bots always go through a resource that changes dynamically.
In terms of Dyre’s proliferation in the past month, IBM data shows that Dyre is ranked second right after Neverquest, which is a widely used commercial malware. It is interesting that Dyre, the privately owned Trojan, is the second most prolific Trojan in cybercrime attacks.
Dyre infection campaign trends show the malware’s activity in cyclical peaks that are very typical to the way the gang spreads this malware to new machines and devices.
According to Dyre’s internal campaign nomenclature, where campaign IDs carry the month and day on which they were launched, new spam blasts are launched two to three times a week, in different countries.
Figure 3 shows Dyre’s infection trend in Spain since the launch of the new configuration that’s geared to attack Spanish banks.
Based on other Dyre campaigns that IBM Security X-Force is familiar with, we expect to see Dyre give special attention to the Spanish territory. Typically, widespread infection campaigns via malware-laden emails deliver Dyre’s loader – the Upatre downloader. The most common spam ploys that Dyre uses are tax notifications, invoices, or fake parcel notices to lure users into opening the attachments and unknowingly launching Upatre, which then fetches and runs Dyre. The campaigns are bound to raise the infection rates in the country and result in an increase in fraudulent transactions.
Our experts recommend that banks alert their customers and refresh the online banking security sections on their websites. Banks should ask customers to report suspicious emails to their abuse reporting mailboxes and work closely with their anti-fraud provider to lower risks as much as possible.
IBM Security’s Trusteer and Emergency Response Services have both worked with customers to study and stop Dyre Wolf attacks and can be of help to banks that wish to learn more about this high-risk threat.