On Feb. 6, 2016, Reuters broke an exclusive story about what appears to be a law enforcement raid that may have ended the activity of the cybercrime gang operating the Dyre banking Trojan. The story was followed up by a Forbes article with hints about arrests in the top echelon of the Dyre crew and a possibility that the malware’s source code was leaked.
Reuters reports that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called “Botnet,” loosely based on a 2010 cybercrime case.
Who executed the raid? 25th Floor’s CEO declined to comment on the case. A spokesman for the Russian Interior Ministry’s cybercrime unit denied involvement in the case. And the FSB, Russia’s main intelligence service, had no comment to offer reporters. The investigation was apparently aided by Moscow-based Kaspersky Lab; the security vendor reportedly plans to unveil details about the case in an annual user conference this week.
In the interim, security professionals and past victims of the gang operating the Dyre Trojan await news on what seems to be the genuine disruption of a major organized cybercrime ring that has robbed financial institutions of millions of dollars in the past two years.
Learn more about Staying ahead of threats with global threat intelligence
Gone Since November?
As details of the investigation aren’t yet public, here’s what we know about Dyre’s current status based on IBM Security insights gleaned from across the globe.
IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most.
Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration update servers and its real time webinjection server were both disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark.
Figure 1: Dyre attacks declined, then fell flat in late November 2015. (Source: IBM Trusteer)
It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November.
What’s Next for Dyre?
Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data.
If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities.
In the past two years, Dyre has been used at the hands of its malevolent owners to defraud banks and their customers of many millions of dollars since its emergence in 2014. In early 2015, Dyre was involved in multiple Dyre Wolf cases, robbing companies of sums that ranged from $500,000 to $1.5 million each. In May 2015, Dyre was implicated in the theft of $5.5 million from Irish budget airline Ryanair.
A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks, especially in the U.K., the U.S., Australia, Spain and other parts of Europe. But Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid.
Rumors of a possible Dyre source code leak remain unconfirmed.
Principal Consultant, X-Force Cyber Crisis Management, IBM