Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Dyre Banking Trojan Now Targets Windows 10, Microsoft Edge

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

According to researchers, Dyre now also targets Windows 10 users, and in addition to Chrome, Firefox and Internet Explorer, the malware can also hook its malicious code into the process of Microsoft’s latest web browser, Edge.

The changes in the latest version of Dyre were documented by both Heimdal Security and F5 Networks.

F5 reported that the authors of Dyre have renamed some of the existing commands and added new ones for novel functionality. The new commands are used to get the IP of the command and control (C&C) server, the botnet name, configuration for fake pages, configuration for server-side webinjects, account information stolen by the Pony module, and an anti-antivirus module.

This anti-antivirus module, named “aa32” or “aa64” in the case of 64-bit versions of Windows, is injected into the “spoolsv.exe” process, which is normally used for fax and print jobs. The module is designed to locate security products installed on the infected machine and disable them by deleting their files or by changing their configuration.

The list of targeted antiviruses, detected by Dyre based on registry entries, includes products from Avira, AVG, Malwarebytes, Fortinet and Trend Micro. The malware also attempts to disable the Windows Defender service.

In order to make the malware more difficult to analyze, the developers have encrypted hardcoded debug strings and only decrypt them during runtime. As a result of this change, static analysis provides a lot less information about the Trojan’s behavior than before.

As for persistence after a reboot, previous versions of Dyre used a Run key in the registry, but the latest variant relies on a scheduled task that is run every minute.

Advertisement. Scroll to continue reading.

Dyre developers also attempted to make the malware more difficult to detect by generating a pipe name based on a hash of the computer’s name and version of the operating system — initially the name of the pipe was hardcoded. However, experts say this doesn’t really help as the name can now be predicted for each infected device.

“We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous,” F5 said in a blog post. “They also wish to keep the malware up-to-date with current OS releases in order to be ‘compatible’ with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest.”

According to Heimdal Security, Dyre has already infected roughly 80,000 machines and the company believes the number will increase.

“The timing of this new strain is just right: the season for Thanksgiving, Black Friday and Christmas shopping is ready to start, so financial malware will be set to collect a huge amount of financial data. Users will be busy, prone to multitasking and likely to choose convenience over safety online,” Heimdal Security noted.

Related Reading: Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Related Reading: Dyre Malware Gang Targets Spanish Banks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.