The criminal gang behind the Dyre malware will target more Spanish banks and Spain-based subsidiaries of other banks this summer with fraudulent wire transfers, according to IBM security researchers.
An analysis of the configuration file for the latest Dyre Trojan variant showed the malicious developers had updated the malware's Web injections to include 17 new banks in Spain, said researchers from IBM Security's X-Force. Previous versions of Dyre targeted only three or five Spanish banks, suggesting they were test runs.
Dyre's new capabilities have broadened the features and reach of the malware enough that it can now attack banks in other Spanish-speaking countries such as Chile, Venezuela, and Colombia, researchers said. Up until now, Dyre targeted banks all over Europe, with the highest number of infections in the United Kingdom, followed by France and Spain.
"Spanish banks and their corporate clients are at a higher risk to suffer targeted wire fraud attacks," IBM Security noted in a blog post.
Part advanced persistent threat and part financial fraud, targeted wire fraud combines advanced reconnaissance and social engineering to breach accounts and then initiates a very large illicit wire transfer.
IBM Security researchers uncovered the initial Dyre Wolf attack campaign stealing Salesforce.com logins of major American banks in order to harvest customer information earlier this year. Originally a simple remote access Trojan (RAT), Dyre was designed to intercept encrypted credentials. Since then, the malware has evolved rapidly, incorporating new technologies such as encryption and evasion layers, anti-research features, and new anti-sandbox tricks, making it one of the most advanced malware families currently active. Its constant updates, sometimes weekly, make it difficult for antivirus and other static tools to detect the infection. Dyre relies on other malware groups to extend its reach, namely the Upatre downloader, which downloads the Trojan onto infected machines, and the Cutwail spam botnet, which spews out the malware-laden emails.
"Nowadays, Dyre is a full-blown banking Trojan that is keeping security professionals guessing, and its victims in constant remediation mode," IBM Security said.
A typical attack campaign begins with spam emails, such as tax notifications, invoices, and fake delivery notifications, with attachments booby-trapped with Upatre. When the recipient opens the file, the downloader fetches Dyre to infect the victim's machine.
Despite its rapid evolution, the gang behind Dyre has consistently targeted high-value targets. On top of day-to-day wire fraud, a dedicated team focuses on corporate bank accounts and extremely high value transfers, which can start at $500,000 and go up as high as $1.5 million. Impacted organizations include pharmaceuticals, oil and gas, and manufacturing. Dyre is currently the second most prolific Trojan used in cybercrime, after Neverquest, a widely-used commercial malware, according to IBM data.
"This is definitely not what we see with commercial malware like Zeus, in every variation of it, nor with shared code like Bugat and Dridex, or even advanced leaked codes like Tinba and Neverquest," IBM Security said.
Dyre is interesting from a technical standpoint, but researchers focused much of its analysis on the gang behind the operation. The closed group developed Dyre internally and has kept it for its own use. The group doesn't appear to exchange information on underground forums, share knowledge, ask questions, or offer the malware for sale. From its infrastructure scheme, to the manpower, to the knowledge of banking websites and authentication schemes, this group is resource backed, experienced, and savvy, IBM security said.
"The cybercrime gang behind Dyre is certainly not composed of amateurs," the blog post noted.
The team appears to be highly organized. The overall botnet is divided into sections, campaigns are marked by the date they are launched, and different malware builds are associated with each region. There are individuals assigned to each region who work on regular shifts throughout the week. A special team executes the social engineering attacks, paying attention to the language and accent when making fraudulent telephone calls.
Banks should alert their customers and refresh the online banking security sections on their websites, IBM Security recommended. Customers should report suspicious emails and calls immediately.