The new TrickBot Banking Trojan seems to have been developed by Dyre authors

Pierluigi Paganini October 17, 2016

Researchers at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan is now behind the new Trickbot malware.

This morning I published a post on the data provided by Group-IB on crime trends, the report published by the security firm reveals a continuous evolution of cybercriminal ecosystem. The story that I’m going to tell you confirms this rapid evolution, at least one of the author behind the infamous Dyre banking Trojan (aka Dyreza) is apparently working on a new banking Trojan dubbed ‘TrickBot.’

The Dyreza botnet infected hundreds of thousands of machines worldwide, according to the Heimdal Security, in November 2015 more than 80.000 machines were already infected with Dyre Trojan across the world. Security experts estimated that users of more than 1000 financial institutions have fallen victim of the threat.

In November 2015, Dyre activity ceased, the Reuters agency also reported authorities raided offices of a Russian film distribution and production company as part of an operation against the Dyre gang.

The operation of the Russian police successfully beheaded the organization behind the Dyre Trojan,

“We have seen a disruption over the last few months that is definitely consistent with successful law enforcement action,” explained security expert John Miller from iSight Partners.

Now security experts at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan has escaped the arrest and he is now participating in a new project.


Researchers at Fidelis Cybersecurity that are monitoring the evolution of the TrickBot malware speculate it has a strong connection to Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

“In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

TrickBot includes more C++ code, compared to Dyre, which is mostly written using the programming language C. Another difference is that the new trojan leverages on the Microsoft CryptoAPI instead of built-in functions for AES and SHA-256 hashing.

Below the main differences highlighted in the analysis:

  • Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence
  • Instead of running an onboard SHA256 hashing routine or AES routine the bot utilizes Microsoft CryptoAPI
  • There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.

“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.” states the post.

The analysis of the custom crypter revealed that the malware loader (TrickLoader) is the same used by other malware such as VawtrakPushdo and Cutwail malware. This last malware is associated with the spambot used by threat actor behind the Dyre threat, this element suggests that cybercriminals are trying to rebuild the Cutwail botnet.

For further information give a look at the post that includes a full list of IOCs and hashes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Dyre, TrickLoader)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment