Vulnerabilities / Threats

2/9/2016
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

As Dyre Goes Quiet, Focus Turns On Other Banking Trojans

Dridex, Gozi, and Shifu are just three of the many malware tools that could replace Dyre, security researchers say.

With the operators of the infamous Dyre banking Trojan either lying low or busted by law enforcement authorities in Russia, security researchers are keeping a wary eye on a handful of other malware tools with the potential to cause equal trouble.

Prime among them are Dridex, Gozi, Tinba, and Shifu—all Trojans that have been associated with attacks against customers of major banks worldwide recently.

Reuters this week reported that Russian authorities in November 2015 had raided the offices of a film distribution and production company in Moscow as part of a crackdown on a cyber crime gang that had caused millions of dollars in losses to major banks like JPMorgan Chase and Bank of America.

The Reuters reports suggested that the raid had resulted in Russian authorities arresting the operators of the Dyre Trojan. But the news service added that it could not confirm that fact from conversations with Russian law enforcement authorities and the country’s main intelligence service. The report characterized the raid as one of the biggest ever crackdowns on cyber crime in Russia.

Security researchers who have been following Dyre for some time said the timing of the raid in November and the fact that the malware has dropped off the map since then suggest a distinct link between the two.

Dell SecureWorks’ Counter Threat Unit, which was the team that originally disclosed the Dyre threat, has not observed any Dyre-related activity since Nov. 19, the date of the reported Russian raid, say Pierre-Marc Bureau and Pallav Khandhar, security researchers at the company.

“As of Nov. 19th, CTU researchers have not seen any new spam emails distributing the Dyre Banking Trojan, and the botnet's command-and-control infrastructure remains unresponsive,” the two researchers said in emailed comments to Dark Reading.

Prior to the apparent takedown of the operation, Dyre was being used to target not just global financial institutions, but also shipping, e-commerce, warehousing, and online technology stores. In total, the last version of Dyre was being used to target over 500 organizations. Countries with the most number of Dyre victims included the US, Canada, Germany, India, France, and Australia, according to SecureWorks.

Since November, not only has Dyre activity completely died off, there is also an overall drop in banking botnet activity in 2016 so far, the researchers say.

Diana Kelley, executive security advisor at IBM Security says that Dyre malware infection rates have dropped precipitously since November, with new infections appearing in the bare single digits at most per day.

The malware’s configuration update and webinjection servers too have been dark since last November, according to a separate IBM blog post.

The big question now is how long it will take for some other Trojan to take its place. In the past, whenever a major malware operation like Dyre has been taken down, something else has invariably surfaced.

“This is actually a business opportunity for already established banking botnet operations,” say Bureau and Khandhar from SecureWorks. “We do expect other cyber criminal groups might increase the size of their operation to fill in the gap left by Dyre's decline.”

Candidates to take that role include the Gozi banking botnet and the Dridex banking botent -- both of which are among the most widely deployed malware tools targeting the financial services industry, the researchers said. “They might just become aggressive to take over the business which Dyre leaves behind.”

Another Trojan to keep an eye on is the Tinba Trojan, says Kelley. The Trojan, which till recently wasn’t considered a major threat, has been spreading and is now the sixth most widely deployed banking malware. It represented about 5 percent of all observed attacks in 2015, she says.

“Tinba malware started out as a classic banking Trojan in 2012, configured to grab user credentials and network traffic, yet in mid-2014, its source code was leaked, giving rise to three more Tinba variations,” Kelley says. Newer versions of the malware appear to have been developed by different groups of cybercriminals, she says. It was the first malware of its kind dedicated to Romanian banks, and is also being use as part of a campaign targeting business and corporate accounts in Singapore, Kelley said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.