As Dyre Goes Quiet, Focus Turns On Other Banking Trojans

Dridex, Gozi, and Shifu are just three of the many malware tools that could replace Dyre, security researchers say.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

With the operators of the infamous Dyre banking Trojan either lying low or busted by law enforcement authorities in Russia, security researchers are keeping a wary eye on a handful of other malware tools with the potential to cause equal trouble.

Prime among them are Dridex, Gozi, Tinba, and Shifu—all Trojans that have been associated with attacks against customers of major banks worldwide recently.

Reuters this week reported that Russian authorities in November 2015 had raided the offices of a film distribution and production company in Moscow as part of a crackdown on a cyber crime gang that had caused millions of dollars in losses to major banks like JPMorgan Chase and Bank of America.

The Reuters reports suggested that the raid had resulted in Russian authorities arresting the operators of the Dyre Trojan. But the news service added that it could not confirm that fact from conversations with Russian law enforcement authorities and the country’s main intelligence service. The report characterized the raid as one of the biggest ever crackdowns on cyber crime in Russia.

Security researchers who have been following Dyre for some time said the timing of the raid in November and the fact that the malware has dropped off the map since then suggest a distinct link between the two.

Dell SecureWorks’ Counter Threat Unit, which was the team that originally disclosed the Dyre threat, has not observed any Dyre-related activity since Nov. 19, the date of the reported Russian raid, say Pierre-Marc Bureau and Pallav Khandhar, security researchers at the company.

“As of Nov. 19th, CTU researchers have not seen any new spam emails distributing the Dyre Banking Trojan, and the botnet's command-and-control infrastructure remains unresponsive,” the two researchers said in emailed comments to Dark Reading.

Prior to the apparent takedown of the operation, Dyre was being used to target not just global financial institutions, but also shipping, e-commerce, warehousing, and online technology stores. In total, the last version of Dyre was being used to target over 500 organizations. Countries with the most number of Dyre victims included the US, Canada, Germany, India, France, and Australia, according to SecureWorks.

Since November, not only has Dyre activity completely died off, there is also an overall drop in banking botnet activity in 2016 so far, the researchers say.

Diana Kelley, executive security advisor at IBM Security says that Dyre malware infection rates have dropped precipitously since November, with new infections appearing in the bare single digits at most per day.

The malware’s configuration update and webinjection servers too have been dark since last November, according to a separate IBM blog post.

The big question now is how long it will take for some other Trojan to take its place. In the past, whenever a major malware operation like Dyre has been taken down, something else has invariably surfaced.

“This is actually a business opportunity for already established banking botnet operations,” say Bureau and Khandhar from SecureWorks. “We do expect other cyber criminal groups might increase the size of their operation to fill in the gap left by Dyre's decline.”

Candidates to take that role include the Gozi banking botnet and the Dridex banking botent -- both of which are among the most widely deployed malware tools targeting the financial services industry, the researchers said. “They might just become aggressive to take over the business which Dyre leaves behind.”

Another Trojan to keep an eye on is the Tinba Trojan, says Kelley. The Trojan, which till recently wasn’t considered a major threat, has been spreading and is now the sixth most widely deployed banking malware. It represented about 5 percent of all observed attacks in 2015, she says.

“Tinba malware started out as a classic banking Trojan in 2012, configured to grab user credentials and network traffic, yet in mid-2014, its source code was leaked, giving rise to three more Tinba variations,” Kelley says. Newer versions of the malware appear to have been developed by different groups of cybercriminals, she says. It was the first malware of its kind dedicated to Romanian banks, and is also being use as part of a campaign targeting business and corporate accounts in Singapore, Kelley said.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights