Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Dyre Trojan Uses Semi-Random File Names to Evade Detection

The creators of the notorious Dyre banking Trojan have started using some new techniques to make the malware more difficult to detect and remove.

According to researchers at IBM, the developers of Dyre have decided to modify the threat’s persistence mechanism and replace run keys in the Windows Registry with task scheduling.

The creators of the notorious Dyre banking Trojan have started using some new techniques to make the malware more difficult to detect and remove.

According to researchers at IBM, the developers of Dyre have decided to modify the threat’s persistence mechanism and replace run keys in the Windows Registry with task scheduling.

“The Registry still contains the instructions, but files run by the scheduler can be found in a preset Windows Tasks folder, where they are fetched as needed. By turning Dyre’s run into a scheduled task, it becomes more resilient to deletion by the user or security products,” Or Safran, malware researcher at IBM Trusteer, explained in a blog post. “But it also gives its developer the flexibility to decide when to run and how often, or upon which type of OS event to rerun the malware file.”

Another change made by Dyre developers is related to the names given to configuration files. By giving these files semi-random names, the cybercriminals hope to prevent their creation from being detected by automated security solutions designed to search and remove the file.

The configuration file names generated by the malware are different for each infected device, but they are the same for a particular user. The filename is obtained by concatenating the device name with the username, and hashing the resulting string three times using SHA-256. Between each round of hashing, the malware adds one to the ASCII value of the byte (e.g. “C” becomes “D”). The resulting hash is processed into a new 16-byte string that represents the name of the configuration file.

In case the name of the infected machine cannot be obtained, the malware is designed to simply use the letter “C” as the device’s name, researchers said.

While this semi-random filename should make it more difficult to detect Dyre, experts noted that knowing the algorithm that is used to obtain the name can actually help detect the presence of the threat.

“These changes show that advanced and active malware like Dyre is an ever-moving target that changes constantly to evade static security and maintain its foothold in infected endpoints,” said Safran.

Dyre has evolved a great deal over the past period. In April, researchers at Seculert reported spotting a version of the malware that counted processor cores in an effort to determine if it had been running on a real machine or a sandbox.

Earlier this year, IBM revealed that Dyre was used by a cybercrime gang to steal more than $1 million from the corporate accounts of U.S. businesses. The attackers conducted a sophisticated operation that involved spear-phishing emails, stolen credentials, tech support scams, and distributed denial-of-service (DDoS) attacks.

Data gathered by IBM shows that the countries most targeted by Dyre over the past couple of months are the United States (27%), the United Kingdom (20%), Australia (7%) and Germany (7%).

Related Reading: Bartalex Malware Used to Deliver Dyre Banking Trojan to Enterprises

Related Reading: Dyre Malware Gang Targets Spanish Banks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.