News

'Dyre' malware resurfaces, targets Australian banks

Those behind the 'Dyre' attacks are likely back in business

18 Oct 2016

One of the most devastating banking Trojans, thought to have been subdued in 2015, has resurfaced with a new name to target financial institutions in Australia, new research suggests.

The new malware bot, calling itself 'TrickBot', was recently discovered by Fidelis Cybersecurity and shares "striking similarities" to the 'Dyre Trojan', which terrorised worldwide financial institutions in and caused tens of millions of dollars in damages between 2014-15. English-speaking countries were worst affected by the Dyre campaign, particularly the UK, US, and Australia.

Those responsible for the Dyre Trojan attacks were arrested by Russian authorities in November 2015, and since then there has been no sign of the malware, effectively disappearing overnight.

However, Jason Reaves, Fidelis threat researcher, believes at least some of those involved in the Dyre attacks may have resumed their criminal activities.

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn't until you decode out the bot, however, that the similarities become staggering," said Reaves.

The TrickBot campaign has been observed using 'webinjects', a malware technique that intercepts data before it is encrypted by a website's SSL, to steal information including usernames and passwords. So far the campaign has targeted a number of Australian banks including ANZ, NAB and Westpac, echoing the activities favoured by the Dyre Trojan.

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot," said Reaves. "With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."

The researcher points to similarities between the two Trojans, including a custom cryptor and loader, and an updated bot believed to be based on Dyre code.

The bot appears to be still in development, which Reaves believes is evidence that those responsible are "pushing to rebuild their Cutwail botnet" in preparation for future attacks.

"It'll be interesting to see if TrickBot can reach or pass its predecessor," said Reaves.

In mid-2015 budget airline Ryanair lost over $5 million when it was scammed by a Dyre Trojan fraudulent email campaign.