Security Experts:

IBM: Cyber-gang Uses Dyre Malware to Loot Corporate Bank Accounts

IBM has unearthed evidence of an international cybercrime operation that has plundered more than $1 million from the corporate accounts of U.S. businesses.

IBM has dubbed the operation 'The Dyre Wolf' after the Dyre malware at the center of the scheme. In October, US-CERT warned the malware was being used in spear-phishing campaigns to steal money from victims.

In the campaign uncovered by IBM, attackers often used phony invoices laced with malware to snare their victims. While the file inside the attached zip file has an embedded PDF icon, it is actually an EXE or SCR file. Once opened, the victim is served the Upatre malware, which in turn downloads Dyre.

"Once Dyre is loaded, Upatre removes itself as everything going forward is the result of the extensive functionality of Dyre itself," IBM noted in its report. "The password-stealing function of Dyre is the focus of this campaign, and ultimately what's used to directly transfer the money from the victim’s account. Dyre’s set up, much like Upatre’s, requires a number of steps to remain stealthy which helps it to spread itself to additional victims."

Dyre also hooks into the victim's browsers (Internet Explorer, Chrome and Firefox) in order to steal credentials the user enters when they visit any of the targeted bank sites. In some cases, possibly due to the use of two-factor authentication, an extra dose of social engineering is used. 

"Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site," blogged John Kuhn, senior threat researcher at IBM. "The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in."

According to IBM, when the victims call the number, they are greeted by a person with an American accent who states he works with the affected bank. After a brief conversation, the individual prompts the person to give their username and password and appears to verify it several times. The person may also ask for a token code, and ask to speak with a co-worker with similar access to the account and get information from them as well.

"One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as," Kuhn blogged.

This all results in successfully duping their victims into providing their company’s banking credentials, he added.

After stealing the credentials, the attacker logs into the account and transfers large sums of money to various offshore accounts, IBM notes in its report. There have been reports of amounts ranging from $500,000 to $1 million USD being stolen via multiple, smaller transactions. As if that were not enough, the victim may also be hit with a distributed denial-of-service attack to cover the attacker's tracks.

"The DDoS itself appears to be volumetric in nature," according to IBM's report. "Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream. While they may have the potential to attack any external point in a business's network, the incidents we are tracking appear to focus on the company's website."

Back in October, IBM's Trusteer team tracked a spike in the infection rate of Dyre, which is now believed by the firm to be in direct relationship with the development advancements within the Dyre project. In its current form, the malware appears to be owned and operated by a closed cyber-gang based in Eastern Europe, though the malware code itself could be operated by several connected teams attacking different geographies, IBM reported.

"The sophistication and the level of deception that Dyre is now using is unprecedented when it comes to banking trojans," Kuhn told SecurityWeek. "The social engineering to defeat two-factor authentication shows the level of dedication and persistence to obtain their goal. Covering their tracks by initiating the denial-of-service attacks demonstrates how far they will go to ensure that the illicit transfer of money is hidden for as long as possible. The Dyre Wolf campaign is well funded, sophisticated and methodical in the theft off large sums of money."

*This story was updated with additional information about the attack. 

view counter