Dyre banking Trojan successor rears its ugly head

Cybercriminals have unleashed a new banking Trojan program on the internet and it bears striking similarities to Dyre, a malware threat believed to have been dead for almost a year.

The new Trojan is called TrickBot and first appeared in September, targeting users of banks in Australia. After a closer analysis, researchers from Fidelis Cybersecurity believe that it is a rewrite of the Dyre Trojan that plagued online banking users for over a year until the gang behind it was dismantled by Russian authorities.

While TrickBot is still a work in progress and doesn’t have all of Dyre’s features, there are enough similarities in their components to suggest that at the very least one served as inspiration for the other. At the same time, there are also significant differences in how some functions have been implemented in the new Trojan, which also has more C++ code than its predecessor.

This leads the Fidelis researchers to conclude that TrickBot is a reimplementation of Dyre rather than a continuation of the older project.

“It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot,” the researchers said in a blog post. “With moderate confidence, we assess that one or more of the original developers of Dyre are involved with TrickBot.”

Dyre, which stole tens of millions of dollars from customers of over 1,000 banks, financial institutions and other organizations worldwide, disappeared almost overnight in November last year.

It wasn’t until February that Russian authorities confirmed that a few months earlier it raided a Moscow-based film production and distribution company that people in the cybersecurity industry believed was behind the distribution of Dyre.

Since there aren’t a lot of details available about the extent of this law enforcement action, it’s very possible that some developers who previously worked on Dyre remained free and teamed up with another group, possibly leading to the creation of TrickBot.

It remains to be seen if this new Trojan will reach or even surpass the previous size of the Dyre operation. According to the Fidelis researchers, the TrickBot gang is also trying to rebuild the Cutwail spam botnet which was previously used to distribute Dyre.

Online banking Trojans are designed to inject malicious code into financial websites when displayed locally in browsers on infected computers. The rogue code can hijack transactions in the background or ask users for sensitive information, like payment card details which can then be used for fraud.

Users should run an up-to-date antivirus program and if able, should perform online banking transactions from a separate dedicated computer, an OS running from a live CD or from a virtual machine.