Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Researchers have come across a new version of the Dyre banking malware that leverages a clever yet simple technique to evade sandboxes and prevent analysis.

Researchers have come across a new version of the Dyre banking malware that leverages a clever yet simple technique to evade sandboxes and prevent analysis.

The Dyre Trojan, which is distributed with the aid of other pieces of malware such as Upatre and Bartalex, has made numerous headlines lately. Last month, IBM reported that a cybercriminal gang had used the malware to steal over $1 million from the corporate accounts of U.S. businesses in an operation dubbed “Dyre Wolf.”

According to Seculert, the new Dyre sample they’ve analyzed is designed to check the number of processor cores on the infected machine. Since most modern PCs have at least two cores, a single core could indicate the presence of a sandbox. That is because sandboxes are usually configured to use only one core in order to save resources.

Numerous threats use anti-sandbox techniques to evade detection. However, most malware families leverage multiple techniques to achieve this goal. Dyre only uses this processor core counting technique, but it appears to be highly effective.

Seculert has tested the malware, which it discovered in early April, against four non-commercial and four commercial sandboxes and they all failed to analyze the new Dyre variant.

“Trying to put ourselves in the mindset of the cyber criminals, it is possible that they conducted their own research and determined that this one particular technique or check was the key to remaining undetected by sandboxing solutions,” Aviv Raff, CTO of Seculert, said in a blog post.

Raff says they are not disclosing the names of the sandboxes they have used in their tests. “We wouldn’t like to help the bad guys here, while the vendors are working on a fix,” he told SecurityWeek.

The malware developers have also attempted to ensure that their creation is not detected by signature-based security systems. For this purpose, they have changed user agents and the way the malware behaves.

The Dyre sample analyzed by Seculert was downloaded by a new version of the Upatre malware. This Upatre variant has a new communication path and uses two user agents instead of one like the older version. Researchers noted that in older variants the communication path was almost identical to the one of Dyre.

Seculert told SecurityWeek that other downloaders have also been seen downloading the new Dyre version.

“The Dyre malware’s success at evading sandboxes is just another example of why sandboxing, as a standalone, is an incomplete security approach,” Raff explained. “Rather the ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time. This approach will provide a much more comprehensive security posture in today’s worsening threat landscape.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.