Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2016
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

As Dyre Goes Quiet, Focus Turns On Other Banking Trojans

Dridex, Gozi, and Shifu are just three of the many malware tools that could replace Dyre, security researchers say.

With the operators of the infamous Dyre banking Trojan either lying low or busted by law enforcement authorities in Russia, security researchers are keeping a wary eye on a handful of other malware tools with the potential to cause equal trouble.

Prime among them are Dridex, Gozi, Tinba, and Shifu—all Trojans that have been associated with attacks against customers of major banks worldwide recently.

Reuters this week reported that Russian authorities in November 2015 had raided the offices of a film distribution and production company in Moscow as part of a crackdown on a cyber crime gang that had caused millions of dollars in losses to major banks like JPMorgan Chase and Bank of America.

The Reuters reports suggested that the raid had resulted in Russian authorities arresting the operators of the Dyre Trojan. But the news service added that it could not confirm that fact from conversations with Russian law enforcement authorities and the country’s main intelligence service. The report characterized the raid as one of the biggest ever crackdowns on cyber crime in Russia.

Security researchers who have been following Dyre for some time said the timing of the raid in November and the fact that the malware has dropped off the map since then suggest a distinct link between the two.

Dell SecureWorks’ Counter Threat Unit, which was the team that originally disclosed the Dyre threat, has not observed any Dyre-related activity since Nov. 19, the date of the reported Russian raid, say Pierre-Marc Bureau and Pallav Khandhar, security researchers at the company.

“As of Nov. 19th, CTU researchers have not seen any new spam emails distributing the Dyre Banking Trojan, and the botnet's command-and-control infrastructure remains unresponsive,” the two researchers said in emailed comments to Dark Reading.

Prior to the apparent takedown of the operation, Dyre was being used to target not just global financial institutions, but also shipping, e-commerce, warehousing, and online technology stores. In total, the last version of Dyre was being used to target over 500 organizations. Countries with the most number of Dyre victims included the US, Canada, Germany, India, France, and Australia, according to SecureWorks.

Since November, not only has Dyre activity completely died off, there is also an overall drop in banking botnet activity in 2016 so far, the researchers say.

Diana Kelley, executive security advisor at IBM Security says that Dyre malware infection rates have dropped precipitously since November, with new infections appearing in the bare single digits at most per day.

The malware’s configuration update and webinjection servers too have been dark since last November, according to a separate IBM blog post.

The big question now is how long it will take for some other Trojan to take its place. In the past, whenever a major malware operation like Dyre has been taken down, something else has invariably surfaced.

“This is actually a business opportunity for already established banking botnet operations,” say Bureau and Khandhar from SecureWorks. “We do expect other cyber criminal groups might increase the size of their operation to fill in the gap left by Dyre's decline.”

Candidates to take that role include the Gozi banking botnet and the Dridex banking botent -- both of which are among the most widely deployed malware tools targeting the financial services industry, the researchers said. “They might just become aggressive to take over the business which Dyre leaves behind.”

Another Trojan to keep an eye on is the Tinba Trojan, says Kelley. The Trojan, which till recently wasn’t considered a major threat, has been spreading and is now the sixth most widely deployed banking malware. It represented about 5 percent of all observed attacks in 2015, she says.

“Tinba malware started out as a classic banking Trojan in 2012, configured to grab user credentials and network traffic, yet in mid-2014, its source code was leaked, giving rise to three more Tinba variations,” Kelley says. Newer versions of the malware appear to have been developed by different groups of cybercriminals, she says. It was the first malware of its kind dedicated to Romanian banks, and is also being use as part of a campaign targeting business and corporate accounts in Singapore, Kelley said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...