Incident Response, Malware, TDR

Dyre malware infections surge in 2015

First profiled nearly a year ago, Dyre malware infections are surging around the world, and particularly in Europe and North America.

Only 4,000 Dyre infections occurred in the final quarter of 2014 while there were nearly 9,000 infections during the first quarter of 2015, Trend Micro wrote in a blog post. Thirty-nine percent of infections were attributed to European users, and North American users accounted for another 38 percent.

Tom Kellermann, chief security officer at Trend Micro, noted in an interview with SCMagazine.com that the traditional cyber attack logic goes that hackers target the “low-hanging fruit.” The opposite is true in this case.

“Basically the best hackers in Eastern Europe will try to break into the most solid banks in the world, or the European banks,” he said. “They're all about if I can take down the top piece of fruit, I can take down the whole tree.”

Europe's strict regulations make their banks' security tighter than that of American or Asian banks.

With that in mind, attackers are now beginning to target the Asia Pacific and Japan region with spammed attachments. Asia Pacific users were targeted by 44 percent of Dyre-infected emails within the first week of May.

Beyond the uptick in infections, Trend Micro discovered a new version of Dyre in a spam run that further assists the malware in defeating detection. This new malware strand utilizes Upatre, a Dyre precursor, to disable firewall/network-related security by modifying registry entries and stopping related services.

It also disables Windows' default anti-malware feature, Trend Micro wrote.

Kellermann said these tactics allow the malware to stay on a victim's system for further use.

“Once they steal credentials and steal the money, they can sell the compromised system to others or precipitate secondary schemes against the victims,” he said.

To protect organizations, Kellermann suggested using two-factor authentication, not multi-factor, which can be compromised when an infection allows attackers to use a keylogger or capture screen grabs. Furthermore, he said, custom sandboxing is necessary.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.