IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations. The campaign, named “The Dyre Wolf” by IBM Security researchers, shows a brazen twist from the once-simple Dyre malware by adding sophisticated social engineering tactics likely to circumvent two-factor authentication. In recent incidents, organizations have lost between $500,000 and $1.5 million to attackers.

While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Since its start in 2014, Dyre has evolved to become simultaneously sophisticated and easy to use, enabling cybercriminals to go for the bigger payout.

In October 2014, the IBM Trusteer team reported a huge increase in the infection rate of the Dyre malware, from 500 instances to nearly 3,500. There seems to be a direct relationship between the development advancements within the Dyre project and this uptick. From Dyre’s very early days, its authors included a mechanism that allows for spreading malware spam through a mass mailing of victims’ contacts lists. This methodology has always proven effective for malware authors, and Dyre takes advantage of it with dramatic results.

Spear Phishing, Malware and DDoS! Oh My!

What do the dire wolf, the wolf in sheep’s clothing and “The Wolf of Wall Street” have in common? Deception and a ferocious appetite to get what they want. The Dyre Wolf campaign is no different. From an initial infection via the Upatre malware through a spear-phishing email to a distributed denial-of-service (DDoS) attack, the criminals carrying out this latest string of attacks are using numerous sophisticated techniques. However, social engineering and the resulting banking credentials theft is the focus of this new campaign and is ultimately what is used to illicitly transfer money from victims’ accounts.

Organized Cybercrime Rings

An experienced and resource-backed cybercrime gang operates Dyre. It was used in wide-stroke attacks for the past year and has now moved into a more brazen stage of attacking corporate accounts via the incorporation of skilled social engineering schemes. What does this mean? As we continue to see, cybercriminals grow in resourcefulness and productivity at alarming rates. They are sharing expertise on a global scale via the Deep Web and launching carefully planned, long-term attacks to attain the highest return on investment.

In this campaign, the attackers are several steps ahead of everyone. Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. While there’s no easy way to know which companies do large wire transfers, it’s a very interesting coincidence. It’s also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware.

Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.

One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials.

As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.

This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees. IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.

The Dyre Wolf: What Can Be Done?

IBM Security recommends organizations follow these security best practices:

  • Train employees on security and how to report suspicious activity.
  • Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
  • Offer security training to employees to help understand threats and measures they can take to protect the organization.
  • Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
  • Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…