by Bharat Mistry
In the cyber security industry there’s often an overwhelming focus on the latest breaking threats and attack techniques – so much so that there’s a danger of forgetting about the staggeringly large volume of existing malware threatening internet users. One such threat is notorious banking trojan DYRE, and the bad news is it has been particularly prolific so far this year.
Trend Micro researchers observed a staggering 125% increase in global infections – from 4,000 in Q4 2015 to 9,000 in the first three months of the year. It seems the cyber criminals behind it have been hard at work once again tweaking the threat to bypass security filters and improve their chances of success.
A brief history of DYRE
DYRE, or DYREZA, first appeared in around September 2014 when experts warned of a Zeus-like banking trojan designed to bypass SSL – the protocol commonly used to secure transactions on banking websites. Usually arriving via the UPATRE downloader, which is typically hidden in a file attached to a spam email, the malware was crafted to perform some or all of: man-in-the-middle attacks via browser injections; taking browser screenshots; stealing personal security certificates and online banking credentials; tracking the user’s location via STUN.
Cyber criminals are constantly adapting and evolving their threats to bypass security defences and DYRE is no different. In January, for example, we observed a new variant which hijacks Microsoft Outlook on a victim’s machine to fire out emails containing the UPATRE downloader to recipients. It was also noted that the gang behind it had begun using the I2P anonymiser network to hide the location of C&C servers. Another variant was discovered using advanced anti-sandboxing techniques to bypass next generation filters.
The current DYRE spam campaign observed by Trend Micro has mainly targeted APAC (43%) and EMEA (34%), although most actual infections were centred on EMEA (39%) and North America (38%) in Q1. The UK accounted for just over 3% of global infections.
The reason most infections are in EMEA and North America could be because most of the email samples seen have been sent in English. They typically use social engineering to scare the recipient into opening the malicious attachment containing UPATRE. In this version, however, the malware authors have tweaked the downloader not just to drop DYRE onto victim machines but also to disable firewalls and other network-level security, and switch off Windows default anti-malware.
It’s another great example of the never-ending cat and mouse game played out between the white hats and the cyber criminals. It’s also an excellent reason to be extra vigilant of any unsolicited emails in your inbox.
Stopping the threat
There are several steps online banking users can take to mitigate the risk of infection.
For starters you should:
- Get to know your bank’s policies regarding email notices. Always call first to verify whether an email is authentic, before opening.
- Bin any unsolicited emails containing attachments or suspicious looking emails
- Install comprehensive anti-malware. Trend Micro Custom Defense technology will protect you from UPATRE and DYRE.
- If you suspect DYRE may have been downloaded, change online banking passwords immediately using a different machine. Contact your bank to alert them of any suspicious transactions.