IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations. The campaign, named “The Dyre Wolf” by IBM Security researchers, shows a brazen twist from the once-simple Dyre malware by adding sophisticated social engineering tactics likely to circumvent two-factor authentication. In recent incidents, organizations have lost between $500,000 and $1.5 million to attackers.
While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Since its start in 2014, Dyre has evolved to become simultaneously sophisticated and easy to use, enabling cybercriminals to go for the bigger payout.
In October 2014, the IBM Trusteer team reported a huge increase in the infection rate of the Dyre malware, from 500 instances to nearly 3,500. There seems to be a direct relationship between the development advancements within the Dyre project and this uptick. From Dyre’s very early days, its authors included a mechanism that allows for spreading malware spam through a mass mailing of victims’ contacts lists. This methodology has always proven effective for malware authors, and Dyre takes advantage of it with dramatic results.
Spear Phishing, Malware and DDoS! Oh My!
What do the dire wolf, the wolf in sheep’s clothing and “The Wolf of Wall Street” have in common? Deception and a ferocious appetite to get what they want. The Dyre Wolf campaign is no different. From an initial infection via the Upatre malware through a spear-phishing email to a distributed denial-of-service (DDoS) attack, the criminals carrying out this latest string of attacks are using numerous sophisticated techniques. However, social engineering and the resulting banking credentials theft is the focus of this new campaign and is ultimately what is used to illicitly transfer money from victims’ accounts.
Organized Cybercrime Rings
An experienced and resource-backed cybercrime gang operates Dyre. It was used in wide-stroke attacks for the past year and has now moved into a more brazen stage of attacking corporate accounts via the incorporation of skilled social engineering schemes. What does this mean? As we continue to see, cybercriminals grow in resourcefulness and productivity at alarming rates. They are sharing expertise on a global scale via the Deep Web and launching carefully planned, long-term attacks to attain the highest return on investment.
In this campaign, the attackers are several steps ahead of everyone. Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. While there’s no easy way to know which companies do large wire transfers, it’s a very interesting coincidence. It’s also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware.
Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.
One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials.
As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.
This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees. IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.
The Dyre Wolf: What Can Be Done?
IBM Security recommends organizations follow these security best practices:
- Train employees on security and how to report suspicious activity.
- Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
- Offer security training to employees to help understand threats and measures they can take to protect the organization.
- Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
- Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.
Senior Threat Researcher, IBM
Senior Incident Response Analyst, IBM Emergency Response Services (ERS)