Eastern European Cyber-gang manages a new Dyre Wolf campaign

Pierluigi Paganini April 03, 2015

Security experts from IBM discovered a very sophisticated malware campaign based on the Dyre Trojan to hack Corporate Bank Accounts.

IBM has uncovered an important cyber criminal operation dubbed The Dyre Wolf due to the name of the popular Dyre malware used crooks. The Dyre malware was discovered in the wild by several security firms, in October the US-CERT published a security advisory on the malware just after the experts at IBM’s Trusteer security team uncovered a spike in the number of infections of Dyre.

In January 2015 the experts at TrendMicro detected a new strain of the DYRE /Dyreza banking malware with new propagation and evasion techniques.

dyre infections IBM

The last operations based on Dyre discovered by experts at IBM was similar to the previous ones, also in this case, the attackers used spear phishing emails as vectors of the infections, bad actors sent to victims a .zip archive with a bogus invoice, the archive containsa EXE or SCR file having an embedded PDF icon to trick the victims.

However, according the experts the level of sophistication and deception that Dyre is implementing in the last wave of attacks is unprecedented.”

Once opened, the victim is infected with the Upatre malware, a malicious code used as downloader for the Dyre agent.

“Once Dyre is loaded, Upatre removes itself as everything going forward is the result of the extensive functionality of Dyre itself,” states the report published by IBM.

Dyre implements an effective data stealer, it is able to hook into victims’ browsers to intercept the user’s credentials when he access to online banking services and also to inject code to alter user perception of the services and by-pass 2FA authentication mechanisms.

“The password-stealing function of Dyre is the focus of this campaign, and ultimately what’s used to directly transfer the money from the victim’s account. Dyre’s set up, much like Upatre’s, requires a number of steps to remain stealthy which helps it to spread itself to additional victims.” continues the report. “Dyre uses its elusive technical means to serve the victim with fake messages on screen to lure them into providing personally identifying information (PII) and two-factor authentication (2FA) codes (mostly token generated one-time passwords). “

The new Dyre Campaign presents also very interesting characteristics, once the victim is infected when he will try to its banking service is displayed a message that invite him to contact a customer service due to problem to the bank website. The operators at the bogus call center are trained to trick victims into reveal personal information and sensitive data, including banking credentials.

 “Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site,” wrote John Kuhn, senior threat researcher at IBM. “The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.” “One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as,” Kuhn blogged.

Once obtained the banking credentials, the attacker access into the victim’s account and transfers large sums of money to offshore accounts controlled by the criminals. The experts estimated that crooks have already stolen a an amount of money between $500,000 and $1 million USD.

The attackers appear true professionals, they also hit the victims with DDoS attack as a diversionary tactic.

“The DDoS itself appears to be volumetric in nature,” according to IBM’s report. “Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream. While they may have the potential to attack any external point in a business’s network, the incidents we are tracking appear to focus on the company’s website.” states the analysis from IBM.

In its current form, the malware appears to be owned and operated by a closed cyber-gang based in Eastern Europe, though the malware code itself could be operated by several connected teams attacking different geographies, IBM reported.

The investigators speculate that the new Dyre Operation is operated by a cyber gang in Eastern Europe, the experts from IBM were impressed by the level of dedication and persistence of the threat actors.

“The Dyre Wolf campaign is well funded, sophisticated and methodical in the theft off large sums of money.” said the security engineer Adrian Ludwig.

Pierluigi Paganini

(Security Affairs –  Dyre, malware)

you might also like

leave a comment