Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Researchers have come across a new version of the Dyre banking malware that leverages a clever yet simple technique to evade sandboxes and prevent analysis.

The Dyre Trojan, which is distributed with the aid of other pieces of malware such as Upatre and Bartalex, has made numerous headlines lately. Last month, IBM reported that a cybercriminal gang had used the malware to steal over $1 million from the corporate accounts of U.S. businesses in an operation dubbed “Dyre Wolf.”

According to Seculert, the new Dyre sample they’ve analyzed is designed to check the number of processor cores on the infected machine. Since most modern PCs have at least two cores, a single core could indicate the presence of a sandbox. That is because sandboxes are usually configured to use only one core in order to save resources.

Numerous threats use anti-sandbox techniques to evade detection. However, most malware families leverage multiple techniques to achieve this goal. Dyre only uses this processor core counting technique, but it appears to be highly effective.

Seculert has tested the malware, which it discovered in early April, against four non-commercial and four commercial sandboxes and they all failed to analyze the new Dyre variant.

“Trying to put ourselves in the mindset of the cyber criminals, it is possible that they conducted their own research and determined that this one particular technique or check was the key to remaining undetected by sandboxing solutions,” Aviv Raff, CTO of Seculert, said in a blog post.

Raff says they are not disclosing the names of the sandboxes they have used in their tests. “We wouldn’t like to help the bad guys here, while the vendors are working on a fix,” he told SecurityWeek.

The malware developers have also attempted to ensure that their creation is not detected by signature-based security systems. For this purpose, they have changed user agents and the way the malware behaves.

The Dyre sample analyzed by Seculert was downloaded by a new version of the Upatre malware. This Upatre variant has a new communication path and uses two user agents instead of one like the older version. Researchers noted that in older variants the communication path was almost identical to the one of Dyre.

Seculert told SecurityWeek that other downloaders have also been seen downloading the new Dyre version.

“The Dyre malware’s success at evading sandboxes is just another example of why sandboxing, as a standalone, is an incomplete security approach,” Raff explained. “Rather the ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time. This approach will provide a much more comprehensive security posture in today’s worsening threat landscape.”