Tricky new malware strain, Dyre, skirts detection and steals banking credentials

Share this article:
Tricky new malware strain, Dyre, skirts detection and steals banking credentials
A recently identified malware strain, known as Dyre, is going after specific banking credentials.

While investigating a successful phishing campaign in which attackers had been using Dropbox to deliver ransomware, researchers with PhishMe uncovered a similar scheme that appears to be using a previously undocumented malware strain.

The malware, referred to as Dyre, is primarily for stealing banking credentials, Ronnie Tokazowski, a senior researcher with PhishMe, told SCMagazine.com in a Tuesday email correspondence, explaining it goes after specific banks, including Bank of America and Citigroup.

Dyre also monitors network traffic and bypasses SSL mechanisms in browsers, as well as surreptitiously modifies network traffic and redirects users back to legitimate sites, Tokazowski said, explaining it uses a technique known as “browser hooking” in order to steal submitted login data just prior to the information being encrypted.

“In testing, when the data was processed, the user's browser pointed to HTTPS, remained encrypted even after submitting the information, and gave zero signs to the user that their computer was infected – scary stuff,” Tokazowski said, adding the malware is a small code change away from being able to steal Facebook, Gmail and any other accounts passing through HTTPS.

Dyre was initially identified in a new phishing scheme that Tokazowski said is probably from the same attackers responsible for the Dropbox phishing campaign, which, as of last week, may have resulted in 350,000 ransomware infections and more than $70,000 in Bitcoin earned.

This time, emails claiming to contain invoices or federal tax information are linking recipients to Cubby, a service similar to Dropbox, according to a Friday post. When the ZIP file is downloaded and opened, users that run the screensaver file become infected with Dyre.

“In working with Dropbox, [the company has] been very quick to remove the [malicious] links,” Tokazowski said. “With the switch to Cubby, a service by LogMeIn, the attackers [have found] another legitimate service for hosting their malware.”

Despite its similarity to other malware, Tokazowski said he performed extensive open source research – based on strings, domains, infrastructure, code, and more – and could not find anything to prove the Dyre malware had been previously documented.

“I also reached out to crimeware experts in the field, asking to verify if this was new,” Tokazowski said. “The overall conclusion is that this was in fact a new sample targeting enterprises. The industry hasn't seen this until now.”

Researchers with CSIS also analyzed the malware, referring to it as Dyreza.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

President signs Executive Order to improve payment security

President signs Executive Order to improve payment security

President Obama signed an Executive Order at the Consumer Financial Protection Bureau calling for enhanced security measures, including microchips and PINs.

Security, tech firm coalition fights Hikit actors, other advanced groups

Security, tech firm coalition fights Hikit actors, other ...

The coalition began as an effort to stop the spread of the Hikit trojan, previously known for targeting U.S. defense contractors.

Phishing email delivers keylogger malware, also takes screenshots

Phishing email delivers keylogger malware, also takes screenshots

The malware has various features, including the ability to start persistently, take screenshots and bypass user access controls.