Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2016
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

As Dyre Goes Quiet, Focus Turns On Other Banking Trojans

Dridex, Gozi, and Shifu are just three of the many malware tools that could replace Dyre, security researchers say.

With the operators of the infamous Dyre banking Trojan either lying low or busted by law enforcement authorities in Russia, security researchers are keeping a wary eye on a handful of other malware tools with the potential to cause equal trouble.

Prime among them are Dridex, Gozi, Tinba, and Shifu—all Trojans that have been associated with attacks against customers of major banks worldwide recently.

Reuters this week reported that Russian authorities in November 2015 had raided the offices of a film distribution and production company in Moscow as part of a crackdown on a cyber crime gang that had caused millions of dollars in losses to major banks like JPMorgan Chase and Bank of America.

The Reuters reports suggested that the raid had resulted in Russian authorities arresting the operators of the Dyre Trojan. But the news service added that it could not confirm that fact from conversations with Russian law enforcement authorities and the country’s main intelligence service. The report characterized the raid as one of the biggest ever crackdowns on cyber crime in Russia.

Security researchers who have been following Dyre for some time said the timing of the raid in November and the fact that the malware has dropped off the map since then suggest a distinct link between the two.

Dell SecureWorks’ Counter Threat Unit, which was the team that originally disclosed the Dyre threat, has not observed any Dyre-related activity since Nov. 19, the date of the reported Russian raid, say Pierre-Marc Bureau and Pallav Khandhar, security researchers at the company.

“As of Nov. 19th, CTU researchers have not seen any new spam emails distributing the Dyre Banking Trojan, and the botnet's command-and-control infrastructure remains unresponsive,” the two researchers said in emailed comments to Dark Reading.

Prior to the apparent takedown of the operation, Dyre was being used to target not just global financial institutions, but also shipping, e-commerce, warehousing, and online technology stores. In total, the last version of Dyre was being used to target over 500 organizations. Countries with the most number of Dyre victims included the US, Canada, Germany, India, France, and Australia, according to SecureWorks.

Since November, not only has Dyre activity completely died off, there is also an overall drop in banking botnet activity in 2016 so far, the researchers say.

Diana Kelley, executive security advisor at IBM Security says that Dyre malware infection rates have dropped precipitously since November, with new infections appearing in the bare single digits at most per day.

The malware’s configuration update and webinjection servers too have been dark since last November, according to a separate IBM blog post.

The big question now is how long it will take for some other Trojan to take its place. In the past, whenever a major malware operation like Dyre has been taken down, something else has invariably surfaced.

“This is actually a business opportunity for already established banking botnet operations,” say Bureau and Khandhar from SecureWorks. “We do expect other cyber criminal groups might increase the size of their operation to fill in the gap left by Dyre's decline.”

Candidates to take that role include the Gozi banking botnet and the Dridex banking botent -- both of which are among the most widely deployed malware tools targeting the financial services industry, the researchers said. “They might just become aggressive to take over the business which Dyre leaves behind.”

Another Trojan to keep an eye on is the Tinba Trojan, says Kelley. The Trojan, which till recently wasn’t considered a major threat, has been spreading and is now the sixth most widely deployed banking malware. It represented about 5 percent of all observed attacks in 2015, she says.

“Tinba malware started out as a classic banking Trojan in 2012, configured to grab user credentials and network traffic, yet in mid-2014, its source code was leaked, giving rise to three more Tinba variations,” Kelley says. Newer versions of the malware appear to have been developed by different groups of cybercriminals, she says. It was the first malware of its kind dedicated to Romanian banks, and is also being use as part of a campaign targeting business and corporate accounts in Singapore, Kelley said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8033
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
CVE-2020-15692
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands...
CVE-2020-15693
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values...
CVE-2020-15694
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
CVE-2015-8032
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.