On Feb. 6, 2016, Reuters broke an exclusive story about what appears to be a law enforcement raid that may have ended the activity of the cybercrime gang operating the Dyre banking Trojan. The story was followed up by a Forbes article with hints about arrests in the top echelon of the Dyre crew and a possibility that the malware’s source code was leaked.

Reuters reports that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called “Botnet,” loosely based on a 2010 cybercrime case.

Who executed the raid? 25th Floor’s CEO declined to comment on the case. A spokesman for the Russian Interior Ministry’s cybercrime unit denied involvement in the case. And the FSB, Russia’s main intelligence service, had no comment to offer reporters. The investigation was apparently aided by Moscow-based Kaspersky Lab; the security vendor reportedly plans to unveil details about the case in an annual user conference this week.

In the interim, security professionals and past victims of the gang operating the Dyre Trojan await news on what seems to be the genuine disruption of a major organized cybercrime ring that has robbed financial institutions of millions of dollars in the past two years.

Learn more about Staying ahead of threats with global threat intelligence

Gone Since November?

As details of the investigation aren’t yet public, here’s what we know about Dyre’s current status based on IBM Security insights gleaned from across the globe.

IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most.

Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration update servers and its real time webinjection server were both disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark.

Figure 1: Dyre attacks declined, then fell flat in late November 2015. (Source: IBM Trusteer)

It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November.

What’s Next for Dyre?

Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data.

If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities.

In the past two years, Dyre has been used at the hands of its malevolent owners to defraud banks and their customers of many millions of dollars since its emergence in 2014. In early 2015, Dyre was involved in multiple Dyre Wolf cases, robbing companies of sums that ranged from $500,000 to $1.5 million each. In May 2015, Dyre was implicated in the theft of $5.5 million from Irish budget airline Ryanair.

A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks, especially in the U.K., the U.S., Australia, Spain and other parts of Europe. But Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid.

Rumors of a possible Dyre source code leak remain unconfirmed.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today