Tricky new malware strain, Dyre, skirts detection and steals banking credentials

Share this article:
Tricky new malware strain, Dyre, skirts detection and steals banking credentials
A recently identified malware strain, known as Dyre, is going after specific banking credentials.

While investigating a successful phishing campaign in which attackers had been using Dropbox to deliver ransomware, researchers with PhishMe uncovered a similar scheme that appears to be using a previously undocumented malware strain.

The malware, referred to as Dyre, is primarily for stealing banking credentials, Ronnie Tokazowski, a senior researcher with PhishMe, told SCMagazine.com in a Tuesday email correspondence, explaining it goes after specific banks, including Bank of America and Citigroup.

Dyre also monitors network traffic and bypasses SSL mechanisms in browsers, as well as surreptitiously modifies network traffic and redirects users back to legitimate sites, Tokazowski said, explaining it uses a technique known as “browser hooking” in order to steal submitted login data just prior to the information being encrypted.

“In testing, when the data was processed, the user's browser pointed to HTTPS, remained encrypted even after submitting the information, and gave zero signs to the user that their computer was infected – scary stuff,” Tokazowski said, adding the malware is a small code change away from being able to steal Facebook, Gmail and any other accounts passing through HTTPS.

Dyre was initially identified in a new phishing scheme that Tokazowski said is probably from the same attackers responsible for the Dropbox phishing campaign, which, as of last week, may have resulted in 350,000 ransomware infections and more than $70,000 in Bitcoin earned.

This time, emails claiming to contain invoices or federal tax information are linking recipients to Cubby, a service similar to Dropbox, according to a Friday post. When the ZIP file is downloaded and opened, users that run the screensaver file become infected with Dyre.

“In working with Dropbox, [the company has] been very quick to remove the [malicious] links,” Tokazowski said. “With the switch to Cubby, a service by LogMeIn, the attackers [have found] another legitimate service for hosting their malware.”

Despite its similarity to other malware, Tokazowski said he performed extensive open source research – based on strings, domains, infrastructure, code, and more – and could not find anything to prove the Dyre malware had been previously documented.

“I also reached out to crimeware experts in the field, asking to verify if this was new,” Tokazowski said. “The overall conclusion is that this was in fact a new sample targeting enterprises. The industry hasn't seen this until now.”

Researchers with CSIS also analyzed the malware, referring to it as Dyreza.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.