In a report issued on Thursday, IBM Researchers said the new campaign, which it dubs Dyre Wolf, is having a “formidable success rate” attacking people who transfer money. There have been several reports of losses between US$500,000 to over $1 million.
The organization behind the Dyre malware campaign, thought to be based in Eastern Europe, has not only consistently updated and maintained the malware, it has added more tricks to further their deception,” the report says. “Social engineering via phone calls and denial of service are now part of their toolkit,” in part to defeat two-factor authentication.
What is the Dyre Malware?
The Dyre malware is considered one of the most effective banking malware active in the wild because of its feature-rich capability, says IBM, and its constant updates which are designed to help it avoid detection by standard security mechanisms.
But the researchers credit the group behind the malware (also called Dyreza by some security researchers that makes it “so incredibly effective at stealing large sums of money.
“The infrastructure, the manpower, and the knowledge of banking systems and their websites clearly demonstrate that this group is well-funded, experienced and intelligent.” They combine spear phishing, infecting user PCs with the Upatre malware, social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS).
IBM says North America has seen the highest level of Dyre infections since the malware was discovered in the summer of 2014. In fact in the first quarter of this year Dyre was the top malware family, followed by Neverquest. Over 4,000 PCs were infected with Dyre around the world in February alone.
How it works
Usually it starts with a spear fishing attack aimed at a specific employee of an organization, either to a corporate or personal email account, with an infected zip file attachment supposed to be an invoice, fax or document. The file inside the zip has an embedded PDF icon, but it is actually an .exe or .scr executable with the Upatre malware. It downloads Dyre from the URL of constantly shifting command and control server.
Dyre creates a Windows service named “Google Update Service,” which automatically runs every time the PC restarts until it is able to inject malicious code into SVCHOST.EXE. It establishes a peer-to-peer tunneling network, then hooks to the victim’s common browsers (Internet Explorer, Chrome & Firefox) in order to intercept credentials the user may enter when visiting any of the targeted bank sites.
There are several ways of capturing passwords. One is when the victim attempts to browse to one of Dyre’s targeted Web pages, the malware injects new fill-able data fields into the page to collect login credentials. Or the malware redirects the request through a proxy server over to Dyre’s command and control server, which sends back a page replica of the bank’s webpage and contains extra data fields for the victim to fill out, or messages that will help the attacker swindle money out of the account, IBM says. Or it can interfere with the bank’s original page response through a PHP server and includes adapted code injections sent back to the victim. “This is an on-the-fly mechanism that Dyre uses to avoid coding its injections into the configuration file,” says the report. “It also allows the attacker to communicate with victims in real time, presenting them with carefully selected social engineering designed to complete a fraudulent transaction.”
And if that’s not enough, if the gang wants it can send an error message to the victim who is urged to call a phony contact centre which is staffed “by a very professional-sounding person with an American accent.”
As an added kick if Dyre discovers Microsoft Outlook it will mail itself to everyone on the contact list.
It’s not over. As soon as a money transfer starts the attackers launch a DDoS attack to either distract the company or to prevent the victim from logging back into the bank site.
How can IT security pros fight back?
Most organizations configure their mail servers to prohibit the sending or receiving of emails with executable files as an attachment, IBM notes, but will allow zip archives through. Email gateways must be configured to strip or remove executables and files within archives that are not password protected. Organizations should also consider using different antivirus products for different purposes — one for desktops, a different one for servers and another for the email gateway — to maximize protection.
IBM also suggests organizations think about using a separate designated host specifically configured for highly sensitive operations such as corporate banking that uses separate login credentials, not have the ability to receive company email or freely browse the Internet. It should only be allowed to communicate with known trusted or white listed destinations.