'Dyre' malware resurfaces, targets Australian banks

Those behind the 'Dyre' attacks are likely back in business


One of the most devastating banking Trojans, thought to have been subdued in 2015, has resurfaced with a new name to target financial institutions in Australia, new research suggests.

The new malware bot, calling itself 'TrickBot', was recently discovered by Fidelis Cybersecurity and shares "striking similarities" to the 'Dyre Trojan', which terrorised worldwide financial institutions in and caused tens of millions of dollars in damages between 2014-15. English-speaking countries were worst affected by the Dyre campaign, particularly the UK, US, and Australia.

Those responsible for the Dyre Trojan attacks were arrested by Russian authorities in November 2015, and since then there has been no sign of the malware, effectively disappearing overnight.

However, Jason Reaves, Fidelis threat researcher, believes at least some of those involved in the Dyre attacks may have resumed their criminal activities.

Advertisement - Article continues below

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn't until you decode out the bot, however, that the similarities become staggering," said Reaves.

The TrickBot campaign has been observed using 'webinjects', a malware technique that intercepts data before it is encrypted by a website's SSL, to steal information including usernames and passwords. So far the campaign has targeted a number of Australian banks including ANZ, NAB and Westpac, echoing the activities favoured by the Dyre Trojan.

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot," said Reaves. "With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."

The researcher points to similarities between the two Trojans, including a custom cryptor and loader, and an updated bot believed to be based on Dyre code.

The bot appears to be still in development, which Reaves believes is evidence that those responsible are "pushing to rebuild their Cutwail botnet" in preparation for future attacks.

"It'll be interesting to see if TrickBot can reach or pass its predecessor," said Reaves.

In mid-2015 budget airline Ryanair lost over $5 million when it was scammed by a Dyre Trojan fraudulent email campaign.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019

Best free malware removal tools 2019

8 Mar 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Why 5G could be a cyber security nightmare

6 Dec 2019