The evolution of malware is garnering attention from security researchers and law enforcement, as the off-the-shelf banking Trojans known as Dyre and Dridex have now been linked to the theft of massive amounts of corporate and personal data.

DRIDEX or DYRE had become one of the leading banking Trojans, targeting over 240 financial institutions. DRIDEX/DYRE malware is descended from the ZEUS Banking Trojan, developed by Evgeniy Mikhailovich Bogachev, founder of the ‘Business Club’ criminal hacker group. DRIDEX’s rapid development and success may be an indication that the ‘Business Club’ remains in operation, developing and using malware.

DRIXEX is a strain of banking malware that is known for using Microsoft Office macros to infect computers. DRIDEX is used to steal banking credentials and personal information so the attacker can access users’ financial resources such as records and bank accounts.

DRIDEX is descended from the ZEUS family of malware. The DYRE banking Trojan has been particularly active recently with new customers, features and exploits added. In 2015 Wapack Labs reported that DYRE was targeting 242 financial institutions

Eward Driehuis, a director at cybersecurity and threat-intelligence firm Fox-IT who was a featured presenter at Information Security Media Group's Fraud Summit Toronto this week, says cybercriminals are now using Dyre and Dridex to gather data that can help track patterns of human and corporate behavior, which might later be used to help attackers evade network intrusion detection.

"What they seem to be doing is stealing large amounts of data off of infected bots," Driehuis says during this interview with ISMG. "What they are doing with that data, we're not quite sure. But they're collecting terabytes and terabytes of data off of infected machines. And now we've seen them starting to query these big piles of stolen data."

Driehuis says these queries have been focused on gathering information about businesses' and users' interactions with computers that have been infected with the Dyre and Dridex strains. "They're harvesting more and more data about people, which is interesting, because they are building up their data for later use; that's how it seems right now."

Evading Detection

While Driehuis says researchers cannot definitively say what the purpose of this data collection is, he believes the data is being gathered to help cybercriminals figure out better ways to evade standard malware detection. By interacting with accounts and systems in ways that resemble real users, not bots, malware won't be detected by standard network intrusion systems, he explains.

"Malware today is evading typical malware detection," Driehuis says. "What the criminals have now done is devised a way of attacking banks by sending the sessions off to manual [human] operators. So the malware only catches the victim and passes credentials on to an operator. The operator then starts a completely legit session and conducts completely legit transactions. There's nothing strange about these transactons, there's nothing robotic to them and there are not any signs of malware in that session, because it's conducted on the criminal's computer, which is clean and operating perfectly."

References:

http://www.bankinfosecurity.com/malwares-stinging-little-secret-a-8477

http://www.bankinfosecurity.com/anti-malware-c-309

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform