Dyre Trojan Silenced After Moscow Raid
Russian police may have disrupted the cybercrime gang behind the infamous Dyre banking trojan after offices were raided in Moscow late last year, according to a new report.
Three sources familiar with the matter told Reuters that the authorities raided a film distribution company known as 25th Floor back in November.
However, the Interior Ministry’s cybercrime unit told the newswire it was not involved and the FSB has declined to comment.
The report was also at pains to point out there’s no direct evidence linking the firm to the trojan.
The story reads like the plot of a film, which is doubly ironic as 25th Floor is said to be currently producing a film titled Botnet, based on a 2010 bust when over 30 people were charged with involvement in a $3 million cyber-scam.
However, it is true that the Dyre campaign has been quiet since November – a sign which some experts believe points to successful disruption by Russian law enforcers.
If it’s true, it’ll be the biggest such action by police there, who frequently turn a blind eye to cybercrime, especially if it’s targeting foreign victims.
According to Forbes, arrests took place on the 18 and 19 November, while a spokesperson for the UK’s National Crime Agency confirmed that it was aware that arrests had been made, and an active investigation remains, with enquiries ongoing.
Statistics from IBM Trusteer showed that new user infections from Dyre dropped into the single digits in mid-November, and have stayed that way since.
“Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration update servers and its real time web injection server were both disconnected from the internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark,” explained IBM X-Force cybersecurity evangelist, Limor Kessem.
“It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November.”
Dyre was the most active trojan in 2015, accruing millions for its operators. For example, it’s believed to have been used in a $5m raid on budget airline Ryanair in May last year.
That said, with Dyre out of the way, the gang behind Dridex appears to have been busy experimenting with new attack vectors.
“Over the last few weeks we've seen attackers experiment with Word documents with macros (typically Dridex); Neutrino malware; Pony malware; Zip with .js deliveries; straight .js files attached to the document, word exploits (CVE-2012-0158) and CAB attached files,” explained PhishMe senior researcher, Ronnie Tokazowski.
"While the others are interesting, the most interesting of them all is the exploit for CVE-2012-0158, an exploit for Word. When triggered on a vulnerable system, the document opens, quickly closes, and then opens a second document without user interaction."
Source: Information Security Magazine