Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow.
Figure 1. DYRE-related infections (values are rounded off to the nearest thousand)
Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.
Figure 2. DYRE infection count per region in Q1
Online banking malware infections have long been North America’s problem. Europe has seen its share of notorious banking malware too, such as DRIDEX. With DYRE’s presence in APAC, we see evidence that cybercriminals are trying to gain a stronger foothold in more regions.
A recent spike in spammed attachments that drop the DYRE shows that APAC is getting substantially more emails than the usual targets. Out of the thousands of DYRE-infected emails we spotted in the first week of May, 44% were directed at users in the Asia Pacific region, followed by 39% against users in Europe, and 17% against those in North America.
Figure 3. DYRE-related spam volume from May 1-7
We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like.
Spam Drops Upgraded UPATRE Malware
We found a new version of DYRE in a new spam run. We now detect this variant as TSPY_DYRE.IK.
What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX.
This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can disable detection, thus making it easier for the download of DYRE or other malware into user systems.
Specifically, its additional functions include the following:
- Disabling firewall/network related security by modifying some registry entries.
- Disabling firewall/network related security via stoppage of related services.
- Disabling window’s default anti-malware feature (WinDef)
Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers.
UPATRE Spam Content
Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to scare users into opening an attached file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam.
Figure 4. Screenshot of a sample spam mail infected with UPATRE
Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences. Logically, more English-speaking regions will take notice of the said email, given that it is more relatable to them. Note that, since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.
What Do We Do Now?
It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via spammed mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions.
Specifically, the Trend Micro™ Custom Defense™ technology wards off UPATRE, DYRE, and CHM downloader threats for enterprises. It detects and analyzes advanced threats and attacks and monitors malicious behaviors so as to mitigate upcoming threats.
