Dyre banking Trojan successor rears its ugly head

New online banking Trojan TrickBot is believed to be a reimplementation of Dyre

Cybercriminals have unleashed a new banking Trojan program on the internet and it bears striking similarities to Dyre, a malware threat believed to have been dead for almost a year.

The new Trojan is called TrickBot and first appeared in September, targeting users of banks in Australia. After a closer analysis, researchers from Fidelis Cybersecurity believe that it is a rewrite of the Dyre Trojan that plagued online banking users for over a year until the gang behind it was dismantled by Russian authorities.

While TrickBot is still a work in progress and doesn't have all of Dyre's features, there are enough similarities in their components to suggest that at the very least one served as inspiration for the other. At the same time, there are also significant differences in how some functions have been implemented in the new Trojan, which also has more C++ code than its predecessor.

This leads the Fidelis researchers to conclude that TrickBot is a reimplementation of Dyre rather than a continuation of the older project.

"It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot," the researchers said in a blog post. "With moderate confidence, we assess that one or more of the original developers of Dyre are involved with TrickBot."

Dyre, which stole tens of millions of dollars from customers of over 1,000 banks, financial institutions and other organizations worldwide, disappeared almost overnight in November last year.

It wasn't until February that Russian authorities confirmed that a few months earlier it raided a Moscow-based film production and distribution company that people in the cybersecurity industry believed was behind the distribution of Dyre.

Since there aren't a lot of details available about the extent of this law enforcement action, it's very possible that some developers who previously worked on Dyre remained free and teamed up with another group, possibly leading to the creation of TrickBot.

It remains to be seen if this new Trojan will reach or even surpass the previous size of the Dyre operation. According to the Fidelis researchers, the TrickBot gang is also trying to rebuild the Cutwail spam botnet which was previously used to distribute Dyre.

Online banking Trojans are designed to inject malicious code into financial websites when displayed locally in browsers on infected computers. The rogue code can hijack transactions in the background or ask users for sensitive information, like payment card details which can then be used for fraud.

Users should run an up-to-date antivirus program and if able, should perform online banking transactions from a separate dedicated computer, an OS running from a live CD or from a virtual machine.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts