• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   DYRE Banking Malware Upsurges; Europe and North America Most Affected

DYRE Banking Malware Upsurges; Europe and North America Most Affected

  • Posted on:June 2, 2015 at 12:42 am
  • Posted in:Malware, Spam
  • Author:
    Abraham Camba (Threat Researcher)
0

Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow.

Figure 1. DYRE-related infections (values are rounded off to the nearest thousand)

Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.

Figure 2. DYRE infection count per region in Q1

Online banking malware infections have long been North America’s problem. Europe has seen its share of notorious banking malware too, such as DRIDEX. With DYRE’s presence in APAC, we see evidence that  cybercriminals are trying to gain a stronger foothold in more regions.

A recent spike in spammed attachments that drop the DYRE shows that APAC is getting substantially more emails than the usual targets. Out of the thousands of DYRE-infected emails we spotted in the first week of May, 44% were directed at users in the Asia Pacific region, followed by 39% against users in Europe, and 17% against those in North America.

Figure 3. DYRE-related spam volume from May 1-7

We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like.

Spam Drops Upgraded UPATRE Malware

We found a new version of DYRE in a new spam run. We now detect this variant as TSPY_DYRE.IK.

What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX.

This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can disable detection, thus making it easier for the download of DYRE or other malware into user systems.

Specifically, its additional functions include the following:

  • Disabling firewall/network related security by modifying some registry entries.
  • Disabling firewall/network related security via stoppage of related services.
  • Disabling window’s default anti-malware feature (WinDef)

Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers.

UPATRE Spam Content

Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to scare users into opening an attached file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam.

Figure 4. Screenshot of a sample spam mail infected with UPATRE

Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences. Logically, more English-speaking regions will take notice of the said email, given that it is more relatable to them. Note that, since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.

What Do We Do Now?

It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via spammed mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions.

Specifically, the Trend Micro™ Custom Defense™ technology wards off UPATRE, DYRE, and CHM downloader threats for enterprises. It detects and analyzes advanced threats and attacks and monitors malicious behaviors so as to mitigate upcoming threats.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: DYREEMEA cybercrimeNorth America cybercrimeonline bankingUPATRE

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.