Security Experts:

Dyre Banking Trojan Now Targets Windows 10, Microsoft Edge

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

According to researchers, Dyre now also targets Windows 10 users, and in addition to Chrome, Firefox and Internet Explorer, the malware can also hook its malicious code into the process of Microsoft’s latest web browser, Edge.

The changes in the latest version of Dyre were documented by both Heimdal Security and F5 Networks.

F5 reported that the authors of Dyre have renamed some of the existing commands and added new ones for novel functionality. The new commands are used to get the IP of the command and control (C&C) server, the botnet name, configuration for fake pages, configuration for server-side webinjects, account information stolen by the Pony module, and an anti-antivirus module.

This anti-antivirus module, named “aa32” or “aa64” in the case of 64-bit versions of Windows, is injected into the “spoolsv.exe” process, which is normally used for fax and print jobs. The module is designed to locate security products installed on the infected machine and disable them by deleting their files or by changing their configuration.

The list of targeted antiviruses, detected by Dyre based on registry entries, includes products from Avira, AVG, Malwarebytes, Fortinet and Trend Micro. The malware also attempts to disable the Windows Defender service.

In order to make the malware more difficult to analyze, the developers have encrypted hardcoded debug strings and only decrypt them during runtime. As a result of this change, static analysis provides a lot less information about the Trojan’s behavior than before.

As for persistence after a reboot, previous versions of Dyre used a Run key in the registry, but the latest variant relies on a scheduled task that is run every minute.

Dyre developers also attempted to make the malware more difficult to detect by generating a pipe name based on a hash of the computer’s name and version of the operating system — initially the name of the pipe was hardcoded. However, experts say this doesn’t really help as the name can now be predicted for each infected device.

“We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous,” F5 said in a blog post. “They also wish to keep the malware up-to-date with current OS releases in order to be ‘compatible’ with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest.”

According to Heimdal Security, Dyre has already infected roughly 80,000 machines and the company believes the number will increase.

“The timing of this new strain is just right: the season for Thanksgiving, Black Friday and Christmas shopping is ready to start, so financial malware will be set to collect a huge amount of financial data. Users will be busy, prone to multitasking and likely to choose convenience over safety online,” Heimdal Security noted.

Related Reading: Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Related Reading: Dyre Malware Gang Targets Spanish Banks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.