Despite the alleged creators of the Dyre cooling their heels in prison, a new, updated variation of the Trojan has been discovered targeting Australian banks in a fresh crimewave.
Researchers at Fidelis Security say that “some” individuals who previously worked on the Dyre banking Trojan are lending their skills towards the development of TrickBot, another banking Trojan, which “which shares a lot of the old Dyre modus operandi and code.”
TrickBot is not a direct clone, however, as the new banking Trojan instead has been equipped with a round of upgrades.
Rather than running commands directly, the bot now interfaces with TaskScheduler to increase the malware’s persistence. In addition, the bot now utilizes Microsoft CryptoAPI and uses far more code based on C++ than the original Dyre.
“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot,” Fidelis says. “With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.”
Dyre is a financial Trojan at the heart of the theft of millions of dollars from banks worldwide. The malware not only targeted all major browsers to steal personal information but once it infected a system through spam or phishing campaigns, was able to hijack financial transactions, conduct surveillance and compromise victim accounts.
However, in November 2015, Dyre vanished almost overnight. Russian law enforcement revealed months later that they took action to take down cybercriminal groups — and considering how quiet the Trojan became, it is assumed that among those arrested were the masterminds behind the campaign.
However, there was still speculation that some of the programmers and other contributors would avoid the snare and become subsumed in other, similar operations.
It appears that this may be the case with Dyre’s copycat. In September, the cybersecurity firm was made aware that TrickBot was embroiled in a campaign against Australian banks.
Upon further exploration, the research team found “staggering” similarities with the malware’s bot and loader functionality. The bot’s crypter and loaders are similar and used in the Cutwail spambot, which was also used by Dyre in spam campaigns.
In addition, the Dyre bot’s old code appears to have formed the basis for an upgraded TrickBot which also uses the same built-in hash functions, Microsoft CryptoAPI and COM.
“The bot also uses a very similar but slightly modified version of the old Dyre C2 decryption, this routine is then used for encrypting/decrypting all data respectively,” the team says. “The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot.”
The Trojan is able to hide in the background to hijack transactions, request sensitive information from users in the hopes of fraudulently compromising their accounts and pass along personal data through the malware’s command-and-control (C&C) center to operators in order to conduct identity theft.
The researchers say:
“While the bot is still missing quite a lot from what was previously seen in Dyre it is obvious that there is correlation between the code used in this bot and that from Dyre.
As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It’ll be interesting to see if TrickBot can reach or pass its predecessor.”
Considering how successful the original Dyre campaign was in plundering banks, we can only hope that is not the case.