'Dyre' malware resurfaces, targets Australian banks

Those behind the 'Dyre' attacks are likely back in business


One of the most devastating banking Trojans, thought to have been subdued in 2015, has resurfaced with a new name to target financial institutions in Australia, new research suggests.

The new malware bot, calling itself 'TrickBot', was recently discovered by Fidelis Cybersecurity and shares "striking similarities" to the 'Dyre Trojan', which terrorised worldwide financial institutions in and caused tens of millions of dollars in damages between 2014-15. English-speaking countries were worst affected by the Dyre campaign, particularly the UK, US, and Australia.

Those responsible for the Dyre Trojan attacks were arrested by Russian authorities in November 2015, and since then there has been no sign of the malware, effectively disappearing overnight.

However, Jason Reaves, Fidelis threat researcher, believes at least some of those involved in the Dyre attacks may have resumed their criminal activities.

Advertisement - Article continues below
Advertisement - Article continues below

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn't until you decode out the bot, however, that the similarities become staggering," said Reaves.

The TrickBot campaign has been observed using 'webinjects', a malware technique that intercepts data before it is encrypted by a website's SSL, to steal information including usernames and passwords. So far the campaign has targeted a number of Australian banks including ANZ, NAB and Westpac, echoing the activities favoured by the Dyre Trojan.

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot," said Reaves. "With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."

The researcher points to similarities between the two Trojans, including a custom cryptor and loader, and an updated bot believed to be based on Dyre code.

The bot appears to be still in development, which Reaves believes is evidence that those responsible are "pushing to rebuild their Cutwail botnet" in preparation for future attacks.

"It'll be interesting to see if TrickBot can reach or pass its predecessor," said Reaves.

Advertisement - Article continues below

In mid-2015 budget airline Ryanair lost over $5 million when it was scammed by a Dyre Trojan fraudulent email campaign.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020