Advertisment

Hey BFSI, meet the latest trojan targeting your customers

author-image
Sonal Desai
New Update
Dyre

MUMBAI, INDIA: The BFSI segment is perennially at risk. While the CISOs and the CIOs are scouting for solutions for the latest malware that has hit their network, a new Trojan named Dyre, is quickly making its mark as the most feared one.

Advertisment

A new survey by Symantec on the Dyre Trojan found that take downs of the Gameover Zeus, Ramnit and Shylock operations, Dyre infections surged and attacks became more aggressive, making it the most dangerous financial Trojan.

Not surprisingly, the revelations were startling.
• Dyre is a sophisticated piece of malware, capable of hijacking all three major Web browsers-Internet Explorer, Chrome and Firefox to intercept banking credentials.

• Financial institutions in the US and UK are most targeted, not far behind, India ranks 6th globally and 2nd in Asia.

Advertisment

• Globally, targets also include users of electronic payment services and HR-related websites.

• While financial gain is the primary motivation, Dyre is often used to download additional malware onto a victim’s machine and add it to a botnet.

• Based on the activity observed, the attackers adhere to a five-day work week during the UTC +2 or UTC +3 time zones, suggesting they operate out of Eastern Europe or Russia.

Advertisment

The Trojan is already configured to defraud customers of more than 1,000 banks and other companies worldwide.

Who is at risk?
After take downs against rival operations Dyre has filled the vacuum and now poses a major threat to banking customers in many countries.

Dyre is configured to defraud the customers of more than 1,000 banks and other companies worldwide. Consumers in English speaking countries, in particular the US and UK are most at risk, since this is where the largest numbers of targeted banks are located.

Advertisment

After a number of recent takedowns against major financial threats such as Gameover Zeus, Shylock and Ramnit, the threat posed by these groups has receded but Dyre has taken their place as one of the main threats to ordinary consumers.

How the Trojan spreads?
Dyre is mainly spread by using spam emails. In most cases the emails masquerade as businesses documents, voicemail or fax messages. If the victim clicks on an email’s attachment, they are redirected to a malicious website which will install the Upatre downloader on their computer (detected by Symantec as Downloader.Upatre).

Upatre is one of the most popular reconnaissance/downloader tools used by financial fraud groups and has previously been employed by the Gameover Zeus and Cryptolocker gangs. Upatre acts as a bridgehead on the victim’s computer, collecting information about it, attempting to disable security software, and finally downloading and installing the Dyre Trojan.

Advertisment

The modus operandi:

Credential stealing
Dyre is capable of using several different types of man-in-the-browser (MITB) attacks that involves scanning every Web page visited and checking it against a list of sites Dyre is pre-configured to attack. If a match is found, it redirects the victim to a fake website that looks similar to its genuine counterpart. This fake website will harvest the victim’s credentials before redirecting back to the genuine website.

A second MITB attack allows Dyre to alter the way legitimate websites are displayed in the browser window by adding malicious code to it to steal the victim’s login credentials. In some scenarios, Dyre may also display an additional fake page informing the victim that their computer has not been recognized and that additional credentials need to be provided to verify their identity, such as their date of birth, PIN code, and credit card details.

Advertisment

Gateway to other threats:
Dyre is also used to infect victims with further malware and Symantec has to date seen seven other malware families being pushed out to infected computers. In many cases, the victim is added to a botnet, which is then used to power further spam campaigns and infect more victims.

The attackers behind Dyre
Based on the times at which the Dyre attackers are most active, Symantec believes that the group is likely based in Eastern Europe or Russia. A large amount of the group’s command-and-control (C&C) infrastructure is located in these regions, but a relatively low number of infections occur in these countries. It is possible that the group may be attempting to keep a low profile by avoiding targets close to home.

Some of the threats distributed by the Dyre Trojan:

Advertisment

Trojan.Spadyra
Trojan.Spadoluk
Trojan.Pandex.B
Infostealer.Kegotip
Trojan.Fareit
Trojan.Doscor
Trojan.Fitobrute

How will you mitigate Dyre?
• Always keep your security software up to date to protect yourself against any new variants of this malware.

• Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.

• Exercise caution when conducting online banking sessions, particularly if the behavior or appearance of your bank’s website changes.

bfsi tech-news security