Security Experts:

Connect with us

Hi, what are you looking for?



Dyre Malware Gang Targets Spanish Banks

The criminal gang behind the Dyre malware will target more Spanish banks and Spain-based subsidiaries of other banks this summer with fraudulent wire transfers, according to IBM security researchers.

The criminal gang behind the Dyre malware will target more Spanish banks and Spain-based subsidiaries of other banks this summer with fraudulent wire transfers, according to IBM security researchers.

An analysis of the configuration file for the latest Dyre Trojan variant showed the malicious developers had updated the malware’s Web injections to include 17 new banks in Spain, said researchers from IBM Security’s X-Force. Previous versions of Dyre targeted only three or five Spanish banks, suggesting they were test runs.

Dyre’s new capabilities have broadened the features and reach of the malware enough that it can now attack banks in other Spanish-speaking countries such as Chile, Venezuela, and Colombia, researchers said. Up until now, Dyre targeted banks all over Europe, with the highest number of infections in the United Kingdom, followed by France and Spain.

“Spanish banks and their corporate clients are at a higher risk to suffer targeted wire fraud attacks,” IBM Security noted in a blog post.

Part advanced persistent threat and part financial fraud, targeted wire fraud combines advanced reconnaissance and social engineering to breach accounts and then initiates a very large illicit wire transfer.

IBM Security researchers uncovered the initial Dyre Wolf attack campaign stealing logins of major American banks in order to harvest customer information earlier this year. Originally a simple remote access Trojan (RAT), Dyre was designed to intercept encrypted credentials. Since then, the malware has evolved rapidly, incorporating new technologies such as encryption and evasion layers, anti-research features, and new anti-sandbox tricks, making it one of the most advanced malware families currently active. Its constant updates, sometimes weekly, make it difficult for antivirus and other static tools to detect the infection. Dyre relies on other malware groups to extend its reach, namely the Upatre downloader, which downloads the Trojan onto infected machines, and the Cutwail spam botnet, which spews out the malware-laden emails.

“Nowadays, Dyre is a full-blown banking Trojan that is keeping security professionals guessing, and its victims in constant remediation mode,” IBM Security said.

A typical attack campaign begins with spam emails, such as tax notifications, invoices, and fake delivery notifications, with attachments booby-trapped with Upatre. When the recipient opens the file, the downloader fetches Dyre to infect the victim’s machine.

Despite its rapid evolution, the gang behind Dyre has consistently targeted high-value targets. On top of day-to-day wire fraud, a dedicated team focuses on corporate bank accounts and extremely high value transfers, which can start at $500,000 and go up as high as $1.5 million. Impacted organizations include pharmaceuticals, oil and gas, and manufacturing. Dyre is currently the second most prolific Trojan used in cybercrime, after Neverquest, a widely-used commercial malware, according to IBM data.

“This is definitely not what we see with commercial malware like Zeus, in every variation of it, nor with shared code like Bugat and Dridex, or even advanced leaked codes like Tinba and Neverquest,” IBM Security said.

Dyre is interesting from a technical standpoint, but researchers focused much of its analysis on the gang behind the operation. The closed group developed Dyre internally and has kept it for its own use. The group doesn’t appear to exchange information on underground forums, share knowledge, ask questions, or offer the malware for sale. From its infrastructure scheme, to the manpower, to the knowledge of banking websites and authentication schemes, this group is resource backed, experienced, and savvy, IBM security said.

“The cybercrime gang behind Dyre is certainly not composed of amateurs,” the blog post noted.

The team appears to be highly organized. The overall botnet is divided into sections, campaigns are marked by the date they are launched, and different malware builds are associated with each region. There are individuals assigned to each region who work on regular shifts throughout the week. A special team executes the social engineering attacks, paying attention to the language and accent when making fraudulent telephone calls.

Banks should alert their customers and refresh the online banking security sections on their websites, IBM Security recommended. Customers should report suspicious emails and calls immediately.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.