New banking malware ‘Dyre’ targets Bank of America, CitiGroup accounts

A dangerous new strain of malware has been discovered, able to steal banking credentials without alerting users to the interception.

Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware.

Dyre has been designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.

The phishing campaign intended to spread the malware and has been asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox has been quick to remove the links from its system, but the hackers have switched to Cubby, a similar service, to continue their campaign. Using such sites, the malware is able to evade URL-scanning software that detects files coming from suspicious domains.

According to SC Magazine, the malware is ‘a small code change away from being able to steal Facebook, Gmail’ account details – or any other information sent through HTTPS-protected websites.

Dyre’s danger lies in its ability to dupe users into believing they have a secure SSL connection to a bank, while in fact it is performing a ‘man-in-the-middle’ attack, intercepting data without disrupting what appears to be a legitimate secure connection.

Dyre injects malicious code into web browsers, ready to steal information when victims visit their banking site. It works across Chrome, Firefox and Internet Explorer, and may sometimes masquerade as a Flash Player download.

Some relatively good news comes in the fact that currently, Dyre is not as advanced as other Trojans, in some respects at least. Dark Reading reports that Dyre currently has no encryption capabilities, so communication between computers in a botnet running Dyre are ‘straightforward’ to intercept.