Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Dyre Banking Trojan Now Targets Windows 10, Microsoft Edge

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

According to researchers, Dyre now also targets Windows 10 users, and in addition to Chrome, Firefox and Internet Explorer, the malware can also hook its malicious code into the process of Microsoft’s latest web browser, Edge.

The changes in the latest version of Dyre were documented by both Heimdal Security and F5 Networks.

F5 reported that the authors of Dyre have renamed some of the existing commands and added new ones for novel functionality. The new commands are used to get the IP of the command and control (C&C) server, the botnet name, configuration for fake pages, configuration for server-side webinjects, account information stolen by the Pony module, and an anti-antivirus module.

This anti-antivirus module, named “aa32” or “aa64” in the case of 64-bit versions of Windows, is injected into the “spoolsv.exe” process, which is normally used for fax and print jobs. The module is designed to locate security products installed on the infected machine and disable them by deleting their files or by changing their configuration.

The list of targeted antiviruses, detected by Dyre based on registry entries, includes products from Avira, AVG, Malwarebytes, Fortinet and Trend Micro. The malware also attempts to disable the Windows Defender service.

In order to make the malware more difficult to analyze, the developers have encrypted hardcoded debug strings and only decrypt them during runtime. As a result of this change, static analysis provides a lot less information about the Trojan’s behavior than before.

As for persistence after a reboot, previous versions of Dyre used a Run key in the registry, but the latest variant relies on a scheduled task that is run every minute.

Advertisement. Scroll to continue reading.

Dyre developers also attempted to make the malware more difficult to detect by generating a pipe name based on a hash of the computer’s name and version of the operating system — initially the name of the pipe was hardcoded. However, experts say this doesn’t really help as the name can now be predicted for each infected device.

“We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous,” F5 said in a blog post. “They also wish to keep the malware up-to-date with current OS releases in order to be ‘compatible’ with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest.”

According to Heimdal Security, Dyre has already infected roughly 80,000 machines and the company believes the number will increase.

“The timing of this new strain is just right: the season for Thanksgiving, Black Friday and Christmas shopping is ready to start, so financial malware will be set to collect a huge amount of financial data. Users will be busy, prone to multitasking and likely to choose convenience over safety online,” Heimdal Security noted.

Related Reading: Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Related Reading: Dyre Malware Gang Targets Spanish Banks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.