After takedowns against rival operations Dyre has filled the vacuum and now poses a major threat to banking customers in many countries.The Dyre financial Trojan has emerged over the past year to become one of the most potent financial fraud tools in operation. Dyre is configured to defraud the customers of more than 1,000 banks and other companies worldwide. Consumers in English speaking countries, in particular the US and UK, are most at risk, since this is where the largest numbers of targeted banks are located.
After a number of recent takedowns against major financial threats such as Gameover Zeus, Shylock and Ramnit, the threat posed by these groups has receded but Dyre has taken their place as one of the main threats to ordinary consumers.
Detected by Symantec as Infostealer.Dyre, Dyre targets Windows computers and can steal banking and other credentials by attacking all three major web browsers (Internet Explorer, Chrome, and Firefox). Dyre is a two-pronged threat. Aside from credentials, it can also be used to infect victims with other types of malware, such as adding them to spam botnets.
Spread of infections
Dyre is mainly spread using spam emails. In most cases the emails masquerade as businesses documents, voicemail or fax messages. If the victim clicks on an email’s attachment, they are redirected to a malicious website which will install the Upatre downloader on their computer (detected by Symantec as Downloader.Upatre).
Upatre is one of the most popular reconnaissance/downloader tools used by financial fraud groups and has previously been employed by the Gameover Zeus and Cryptolocker gangs. Upatre acts as a bridgehead on the victim’s computer, collecting information about it, attempting to disable security software, and finally downloading and installing the Dyre Trojan.
Dyre is capable of using several different types of man-in-the-browser (MITB) attacks against the victim’s web browser to steal credentials. One MITB attack involves scanning every web page visited and checking it against a list of sites Dyre is pre-configured to attack. If a match is found, it redirects the victim to a fake website that looks similar to its genuine counterpart. This fake website will harvest the victim’s credentials before redirecting back to the genuine website.
A second MITB attack allows Dyre to alter the way legitimate websites are displayed in the browser window by adding malicious code to it to steal the victim’s login credentials. In some scenarios, Dyre may also display an additional fake page informing the victim that their computer has not been recognized and that additional credentials need to be provided to verify their identity, such as their date of birth, PIN code, and credit card details.
Gateway to other threats
Dyre is also used to infect victims with further malware and Symantec has to date seen seven other malware families being pushed out to infected computers. In many cases, the victim is added to a botnet, which is then used to power further spam campaigns and infect more victims.
The attackers behind Dyre
Based on the times at which the Dyre attackers are most active, Symantec believes that the group is likely based in Eastern Europe or Russia. A large amount of the group’s command-and-control (C&C) infrastructure is located in these regions, but a relatively low number of infections occur in these countries. It is possible that the group may be attempting to keep a low profile by avoiding targets close to home.
Symantec and Norton products detect these threats as:
Other threats distributed by the Dyre Trojan are detected as:
- Always keep your security software up to date to protect yourself against any new variants of this malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Exercise caution when conducting online banking sessions, in particular if the behavior or appearance of your bank’s website changes.