Banking Malware Targets Wire Transfers; Evades Antivirus

By   Information Security Buzz Editorial Staff
Chief Editor , Information Security Buzz | Apr 07, 2015 05:13 pm PST

The Trojan Dyre (also known as Dyreza) has been around for quite awhile now, terrorizing the banking industry, stealing passwords and enabling malicious hackers to make off with money stolen directly from individual accounts.

Now IBM security researchers are reporting on a recent campaign they’ve dubbed, “The Dyre Wolf” that leverages social engineering to steal account inf ormation and money from corporate accounts – resulting in higher payoffs. IBM reports that attackers have stolen upwards of a million dollars using this campaign.

IBM researchers have found that attackers are targeting companies that often conduct high-dollar wire transfers. They also noted that most antivirus tools were unable to detect this Dyre malware variant, suggesting that traditional security solutions aren’t enough to stop password-stealing malware.

Social Engineering to Steal Wire Transfers

The attackers have crafted an elaborate scheme involving a call center to intercept wire transfers. Once infected, users are presented with a fake prompt when they attempt to visit a banking website. The prompt tells the user that the site is experiencing issues, and urges him/her to call a phone number for customer service assistance – effectively stealing both their login and the wire transfer money.

Attackers may target some companies with a DDoS (Distributed Denial-of-Service) attack in order to distract them from finding the wire transfer until it was successfully delivered to their own bank account, a commonly used and effective diversion tactic.

In addition, if the Dyre malware detects that Microsoft Outlook is installed on the user’s computer, it attempts to spread itself via emails and attachments to contacts listed in their email account, according to the IBM report, The Dyre Wolf: Attacks on Corporate Banking Accounts (PDF).

The spread of this malware isn’t slowing down. According to research in October 2014, IBM found that instances of Dyre infection had risen from 500 to nearly 3,500 – an increase of 600 percent.

Moar Banking Malware & Drive-By Downloads

And obviously, Dyre isn’t the only banking trojan out there. Another recent malware campaign targeting more than 15 Canadian financial institutions involves the Neverquest banking trojan, according to Vawtrak, the latest variant of Neverquest, leverages man-in-the-middle attacks, videos and screenshots to steal online banking credentials and log into accounts via remote connections to their PCs to evade detection.

The malware is spread to victims via drive-by download. Drive-by downloads also targeted visitors last September, when a malicious script was added to the website by attackers in an invisible iframe. Visitors were redirected to an exploit kit that installed credential-stealing malware on their machines. Learn more in jQuery Credential-Stealing Attack Targets Sys Admins and Web Developers.

Last October, and Popular Science magazine were also hit by drive-by download malware that similarly redirected to an exploit kit that installed data-stealing malware on vistors’ computers. The exploit kit searched for known vulnerabilities in different applications, including those affecting Microsoft IE, Silverlight, Oracle Java SE and Adobe Flash Player.

Find out more about how website owners can check for malicious code and deter infection in University, Online Magazines & JavaScript Sites Hit By Drive-By Malware.

How can you protect your organization from banking malware? IBM’s recommendations include:

  • Reboot after any type of detection
  • Restrict execution of programs from temp folders
  • Maximize network visibility
  • End-user education

To learn about this banking malware, please read the rest of this article on Duo Security’s blog here.

By Thu Pham, Information Security Journalist, Duo Security | @Thu_Duo

thu_phamThu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.


About Duo Security

Duo-SecurityDuo Security is on a mission to provide advanced security solutions for organizations of all sizes. Duo’s innovative technology protects users, data and applications from credential theft and breaches with a focus on streamlined usability. The company was co-founded by CEO Dug Song, a major contributor to the security community, and CTO Jon Oberheide, expert cloud, mobile, and malware security researcher.