14 DAY TRIAL // Cybercriminals running Dyre banking Trojan have built an impressive infrastructure that counts hundreds of servers, researchers found, tasked with assignments designed to maintain and expand the activity of the malware.
A Symantec report released on Tuesday delves deep into the dire business of the malware, revealing an operation that has individuals working five days a week.
Dyre’s money stealing activity follows a well-known pattern, with the web browser being hijacked for monitoring web sessions and redirecting the victim to fake websites or altering the content of the web pages on the fly to capture banking login credentials in man-in-the-browser events.
Multiple groups may be involved in the operation
But unlike malware of the same feather, this one has moved to superior levels, with no less than 285 command and control (C&C) servers and 44 other machines that deliver plugins and additional payloads, or execute (MitB) attacks.
Cybercriminals have organized the C&C machines in a way that allows only two IP addresses to be employed at the same time, for command and control tasks and dispatching modules.
Most of the C&C servers (227 of them) have been pinpointed in Ukraine and Russia, but the infrastructure also spreads to Poland, Bulgaria, Andorra, Netherlands, Serbia, Moldova, Hungary, Germany, France, Czech Republic, Austria, Bulgaria, Slovakia, and the US.
Symantec says that the machines that carry out MitB attacks and push other malicious payloads to victims are mostly located in European countries, outside the Russian and Ukrainian space, one reason for this being the possibility that they are managed by other groups.
Researchers determined that the activity of the cybercriminals runs between 3AM until 10PM and corresponds to the UTC +2 or UTC +3 time zones, which suggests that the attackers are from Eastern Europe or Russia.
Dyre targets mostly users in the US and UK
Information collected from captured samples showed a minimum of 1,000 unique URLs belonging to hundreds of targeted financial organizations, mostly in the US and UK.
Banks in other countries are also in sight, the top 10 including Australia, Germany, France, New Zealand, Romania, Canada, Malaysia, and Mexico.
However, the malware also focuses on other entities related to the financial sector, such as electronic payment services, users of digital currencies. Probably in an attempt to expand the C&C infrastructure, attackers targeted some web-hosting companies, too.
After the fall of Gameover Zeus and Shylock, Dyre has risen steadily up to the point that it is now considered one of the most dangerous financial Trojans, “a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attacker,” Symantec says in the report.
