Researchers find traces of Dyre in new TrickBot trojan

Oct 16, 2016 22:35 GMT  ·  By

Security researchers from Fidelis Cybersecurity have advanced the theory that a new banking trojan discovered in September 2016 may have a connection to the old Dyre banking trojan.

Fidelis researchers found this new trojan, named TrickBot, in September 2016, and from the get-go, the trojan sparked interest due to a series of similarities to Dyre.

The Dyre trojan ceased all major operations after Russian authorities raided the headquarters of a Russian company in November 2015. While campaigns didn't stop all of a sudden, the number of spam messages spreading Dyre started to go down after the raids, slowing down to a trickle by next January.

TrickBot borrows techniques from Dyre

According to Fidelis experts, there are enough clues and similarities to sustain a theory that the Dyre crew, or individuals of the old Dyre crew, have now returned with another trojan which shares a lot of the old Dyre modus operandi and code.

Before TrickBot, the Dridex gang experimented with Dyre-specific techniques over the winter as well, so different banking trojans sharing code and techniques is nothing new on the malware scene.

First and foremost, Fidelis says that TrickLoader, the TrickBot module that infects the victim, is very similar to Dyre's loader.

"From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used," says Jason Reaves, Fidelis Threat Researcher. "It isn’t until you decode out the bot, however, that the similarities become staggering."

Despite all these, there isn't enough evidence to label TrickBot as Dyre reincarnated, or even a clone.

TrickBot is not a direct clone of Dyre, but more of an upgrade

Reaves says there are several differences as well. The most obvious one is the coding style, which appears to be from a different coder or development team. TrickBot is mostly written in C++, and not C, the predominant language used for Dyre.

Second, TrickBot uses TaskScheduler and COM to achieve persistence on infected devices, while the older Dyre ran commands directly on the infected system.

Third, TrickBot uses the Microsoft Crypto API for cryptographic operations, unlike Dyre, which used an SHA256 hashing and AES encryption.

All of these are substantial differences that hint that someone has given an older version of Dyre a facelift. As Fidelis explains, there is enough evidence to show a connection between the two, but there's also evidence to show that someone spent a lot of time adding new code.

Fidelis says that TrickBot is currently active targeting Australian banks using a browser webinject technique, which is not a standard practice for Dyre, which was known for its redirection attacks.