'Dyre' malware resurfaces, targets Australian banks

Those behind the 'Dyre' attacks are likely back in business


One of the most devastating banking Trojans, thought to have been subdued in 2015, has resurfaced with a new name to target financial institutions in Australia, new research suggests.

The new malware bot, calling itself 'TrickBot', was recently discovered by Fidelis Cybersecurity and shares "striking similarities" to the 'Dyre Trojan', which terrorised worldwide financial institutions in and caused tens of millions of dollars in damages between 2014-15. English-speaking countries were worst affected by the Dyre campaign, particularly the UK, US, and Australia.

Advertisement - Article continues below

Those responsible for the Dyre Trojan attacks were arrested by Russian authorities in November 2015, and since then there has been no sign of the malware, effectively disappearing overnight.

However, Jason Reaves, Fidelis threat researcher, believes at least some of those involved in the Dyre attacks may have resumed their criminal activities.

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn't until you decode out the bot, however, that the similarities become staggering," said Reaves.

The TrickBot campaign has been observed using 'webinjects', a malware technique that intercepts data before it is encrypted by a website's SSL, to steal information including usernames and passwords. So far the campaign has targeted a number of Australian banks including ANZ, NAB and Westpac, echoing the activities favoured by the Dyre Trojan.

Advertisement - Article continues below

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot," said Reaves. "With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."

Advertisement - Article continues below

The researcher points to similarities between the two Trojans, including a custom cryptor and loader, and an updated bot believed to be based on Dyre code.

The bot appears to be still in development, which Reaves believes is evidence that those responsible are "pushing to rebuild their Cutwail botnet" in preparation for future attacks.

"It'll be interesting to see if TrickBot can reach or pass its predecessor," said Reaves.

In mid-2015 budget airline Ryanair lost over $5 million when it was scammed by a Dyre Trojan fraudulent email campaign.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020