IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Dyre' malware resurfaces, targets Australian banks

Those behind the 'Dyre' attacks are likely back in business

Malware

One of the most devastating banking Trojans, thought to have been subdued in 2015, has resurfaced with a new name to target financial institutions in Australia, new research suggests.

The new malware bot, calling itself 'TrickBot', was recently discovered by Fidelis Cybersecurity and shares "striking similarities" to the 'Dyre Trojan', which terrorised worldwide financial institutions in and caused tens of millions of dollars in damages between 2014-15. English-speaking countries were worst affected by the Dyre campaign, particularly the UK, US, and Australia.

Those responsible for the Dyre Trojan attacks were arrested by Russian authorities in November 2015, and since then there has been no sign of the malware, effectively disappearing overnight.

However, Jason Reaves, Fidelis threat researcher, believes at least some of those involved in the Dyre attacks may have resumed their criminal activities.

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn't until you decode out the bot, however, that the similarities become staggering," said Reaves.

The TrickBot campaign has been observed using 'webinjects', a malware technique that intercepts data before it is encrypted by a website's SSL, to steal information including usernames and passwords. So far the campaign has targeted a number of Australian banks including ANZ, NAB and Westpac, echoing the activities favoured by the Dyre Trojan.

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot," said Reaves. "With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."

The researcher points to similarities between the two Trojans, including a custom cryptor and loader, and an updated bot believed to be based on Dyre code.

The bot appears to be still in development, which Reaves believes is evidence that those responsible are "pushing to rebuild their Cutwail botnet" in preparation for future attacks.

"It'll be interesting to see if TrickBot can reach or pass its predecessor," said Reaves.

In mid-2015 budget airline Ryanair lost over $5 million when it was scammed by a Dyre Trojan fraudulent email campaign.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022