Researchers Find Sneaky New Banking Trojan, Name It Dyreza

Trojan horseWatch out, folks! There’s a new banking malware in town.

The new banking threat, known as “Dyreza” or “Dyre” for short, is currently being spread through spam campaigns. The Trojan may come gift-wrapped in a malicious zip file attached to the email or linked for download from Cubby, a cloud file storage website.

Once it infects a machine, Dyreza uses a technique called “browser hooking” to view the traffic flowing between the compromised computer and a target banking website. It doesn’t matter if the victim uses Internet Explorer, Firefox or Chrome – the malware re-routes web traffic to servers controlled by the attackers, allowing them to read everything, including SSL traffic, in clear text.

The idea is to steal login credentials for major banking sites like Bank of America, Natwest, Citibank, RBS, and Ulsterbank.  With the help of Dyreza, attackers will be able to intercept sensitive data & attempt to circumvent 2-factor authentication all without the victim knowing.

During analysis, researchers not only discovered some of the command & control servers for Dyreza, but they also stumbled upon money-mule accounts based in Latvia. Researchers also found evidence that the miscreants behind Dyreza may be planning another attack involving the malware being disguised as a “Flash Player update.”

Hopefully anyone that comes into contact with this banking Trojan is running one of the antivirus solutions capable of detecting the threat. At the time of writing, 36/54 antivirus programs can detect Dyreza, including AVG, Avast, ESET, Kaspersky, McAfee, Symantec, Sophos, et al. Unfortunately, Microsoft Security Essentials (MSE) did not make the list of antivirus software capable of detecting it, so keep that in mind if it’s your AV of choice.

Update 9/8/14: The detection rate is now 47/55 and includes Microsoft Security Essentials. Make sure you scan downloaded files before opening them!

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@thechipmerchant), or circling us on Google+.