With the operators of the infamous Dyre banking Trojan either lying low or busted by law enforcement authorities in Russia, security researchers are keeping a wary eye on a handful of other malware tools with the potential to cause equal trouble.
Reuters this week reported that Russian authorities in November 2015 had raided the offices of a film distribution and production company in Moscow as part of a crackdown on a cyber crime gang that had caused millions of dollars in losses to major banks like JPMorgan Chase and Bank of America.
The Reuters reports suggested that the raid had resulted in Russian authorities arresting the operators of the Dyre Trojan. But the news service added that it could not confirm that fact from conversations with Russian law enforcement authorities and the country’s main intelligence service. The report characterized the raid as one of the biggest ever crackdowns on cyber crime in Russia.
Security researchers who have been following Dyre for some time said the timing of the raid in November and the fact that the malware has dropped off the map since then suggest a distinct link between the two.
Dell SecureWorks’ Counter Threat Unit, which was the team that originally disclosed the Dyre threat, has not observed any Dyre-related activity since Nov. 19, the date of the reported Russian raid, say Pierre-Marc Bureau and Pallav Khandhar, security researchers at the company.
“As of Nov. 19th, CTU researchers have not seen any new spam emails distributing the Dyre Banking Trojan, and the botnet's command-and-control infrastructure remains unresponsive,” the two researchers said in emailed comments to Dark Reading.
Prior to the apparent takedown of the operation, Dyre was being used to target not just global financial institutions, but also shipping, e-commerce, warehousing, and online technology stores. In total, the last version of Dyre was being used to target over 500 organizations. Countries with the most number of Dyre victims included the US, Canada, Germany, India, France, and Australia, according to SecureWorks.
Since November, not only has Dyre activity completely died off, there is also an overall drop in banking botnet activity in 2016 so far, the researchers say.
Diana Kelley, executive security advisor at IBM Security says that Dyre malware infection rates have dropped precipitously since November, with new infections appearing in the bare single digits at most per day.
The malware’s configuration update and webinjection servers too have been dark since last November, according to a separate IBM blog post.
The big question now is how long it will take for some other Trojan to take its place. In the past, whenever a major malware operation like Dyre has been taken down, something else has invariably surfaced.
“This is actually a business opportunity for already established banking botnet operations,” say Bureau and Khandhar from SecureWorks. “We do expect other cyber criminal groups might increase the size of their operation to fill in the gap left by Dyre's decline.”
Candidates to take that role include the Gozi banking botnet and the Dridex banking botent -- both of which are among the most widely deployed malware tools targeting the financial services industry, the researchers said. “They might just become aggressive to take over the business which Dyre leaves behind.”
Another Trojan to keep an eye on is the Tinba Trojan, says Kelley. The Trojan, which till recently wasn’t considered a major threat, has been spreading and is now the sixth most widely deployed banking malware. It represented about 5 percent of all observed attacks in 2015, she says.
“Tinba malware started out as a classic banking Trojan in 2012, configured to grab user credentials and network traffic, yet in mid-2014, its source code was leaked, giving rise to three more Tinba variations,” Kelley says. Newer versions of the malware appear to have been developed by different groups of cybercriminals, she says. It was the first malware of its kind dedicated to Romanian banks, and is also being use as part of a campaign targeting business and corporate accounts in Singapore, Kelley said.