Security Experts:

Dyre Trojan Attacks Inactive Since Mid-November, Sources Say

The activity of the Dyre Trojan has come to an apparent stop since mid-November, with no new spam campaigns to distribute it observed ever since, security researchers note.

Discovered in 2014, Dyre (Dyreza) is a popular banking, often distributed via spam campaigns, but also with the help of other malware such as Upatre and Bartalex. Over time, the actors behind Dyre have made various changes to the code to help avoid detection and prevent analysis.

Historically, Dyre’s operators have been very active with their spam emails on weekdays, typically launching between one and 15 separate email campaigns per day. The spam emails included malicious attachments, usually fake businesses documents, voicemail, or fax messages, which installed the Upatre downloader that, in turn, collected user information and installed Dyre.

According to Symantec, the number of Upatre infections has dropped to less than 20,000 since November, although it reached a 250,000 high in July 2015. The infections involving the Dyre Trojan itself dropped as well, from 9,000 in early 2015 to less than 600 per month since November.

Recently, the redirection attack scheme concept that Dyre employs was imported to another banking Trojan, namely Dridex. The creators of Dyre used local proxy redirects to serve fake online banking pages to users while they capture all of the information provided by the user, while Dridex started using a new local DNS poisoning technique last month.

At the time, IBM X-Force researchers suggested that the similarities between Dridex and Dyre might point to the fact that the groups behind them share some key developers or management. Dridex might have borrowed site replicas from the Dyre group and went to use the attack method in geographies where it had been used before, the researchers suggested.

However, new reports from Symantec and Dell SecureWorks suggest that the group behind Dyre might have ceased activity almost three months ago, which might explain why Dridex borrowed the attack scheme. The exact reasons behind long Dyre’s silence, however, remain uncertain, although researchers link the activity shutdown to a raid performed by Russian law enforcement.

According to Reuters, Russian authorities raided the offices of a company supposedly associated with the Dyre banking Trojan, yet no confirmation on the matter has been provided, and the news site cannot link the raid with Dyre’s shutdown.

Symantec, on the other hand, says that, despite the lack of official confirmation, evidence shows that the two might be related. Following the November raid, the security firm has observed a steep decline in Dyre activity, with no new spam campaigns associated to it launched since November 18, and with detections of the Trojan significantly lower since mid-November as well.

Dell SecureWorks' CTU Research Team, also says that the Dyre botnet has been inactive since November 19, and that no new spam emails to distribute it have been observed since. Furthermore, they told SecurityWeek in an email that Dyre’s command and control center (C&C) remains unresponsive to date, suggesting that the botnet is down.

Symantec and Dell researchers appear to agree on one fact: Dyre has been down since November and its activity stopped after the Russian authorities’ action, which indicates that the operation did manage to disrupt the botnet.

The Dyre Trojan has been used to target users of more than 1,000 banks and other companies worldwide, with individuals and organizations in the US, Canada, Australia, and the UK being the most affected. The malware has been seen as the highest threat to Windows users who perform online banking operations, but its disruption might not have the desired effects.

With Dyre down, other banking Trojans tried to gain momentum and started to appear more frequently in infection campaigns, including Dridex, which was supposedly disrupted in October. Furthermore, as Dridex activity increased following the October takedown attempt, chances are that the Dyre botnet will return as well, perhaps with regained strength.

Users are advised to install an email security solution that can protect them in the event they accidentally open a malicious email. They should also avoid clicking on emails or attachments coming from unknown sources, and should keep their operating system and anti-malware software up to date at all times.

view counter