Bad Actors behind the Dyre botnet operates like a business

Experts at Symantec observed a significant upsurge in activity over the past year for the Dyre financial Trojan used to target banking customers worldwide

The operators behind the popular Dyre banking trojan appear very active in this period, according to security experts at Symantec they are working hard five-day a week to maintain some 285 command and control servers handling stolen banking credentials.

The Dyre (Dyreza) is a financial malware that is targeting a larger number of banks worldwide, the bad actors behind its botnet handle a large number of domains in order to host botnet handle a large number of domains in order to host phishing websites used to steal banking credentials.

Cyber criminals used more than 1000 websites to clone legitimate site of the US and British organizations in US, Germany, Australia, and France.

The infection vector used to spread the Dyre trojan is the email, bad actors use to send victims messages usually masquerade as business documents, voicemail, or fax messages. The malicious emails come with an attachment or a link to a domain that is used to serve the malicious code.

“A significant upsurge in activity over the past year has seen Dyre emerge as one of the most dangerous financial trojans, capable of defrauding customers of a wide range of financial institutions across multiple countries,” continues the report. “Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers.” “It is a multi-pronged threat and is often used to download additional malware on to the victim’s computer. In many cases, the victim is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat further afield.” Symantec wrote in a detailed report on Dyre.

The experts revealed that the majority of infection is located in Europe except Russia and Ukraine, where Symantec have discovered the majority of command and control servers are located. The experts also noticed that financial institutions in those regions are targeted by the Dyre malware, a circumstance that led to believe that the threat actors are operating in the same area.

“Based on our monitoring of Dyre activity, the attackers appear to adhere to a five-day working week, with no activity on Saturday and Sunday. Monday is the busiest day in terms of activity. This may be due to backlogs resulting from the weekend break. Activity is measured by counting event updates from C&C servers. In terms of operating hours, activity ranges from 3am to 10pm UTC timing, with most of the updates occurring from 9am to 4pm UTC. Since the attackers appear to be operating in the UTC +2 or UTC +3 time zones, it is possible that the attacks originate in Eastern Europe or Russia, based on the workday pattern observed. While a large amount of Dyre’s C&C infrastructure is located in those regions, a relatively low amount of infections is seen. In addition, financial institutions in those regions are generally not on the target list. One possibility is that the attackers may be reluctant to draw attention” continues Symantec.

The report highlights that Dyre implements several anti-analysis techniques, including Anti-debug, Obfuscation and Anti-emulation. According to the experts at Symantec bad actors used 21 differed IP addresses to run man-in-the-browser attacks on the victims, 14 IP addresses were used to distribute the malicious payload.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – Botnet, Dyre)