Don't Cry Wolf: Tracking Dyre Wolf's Evolution

Banking Trojans are nothing new to security experts and citizens around the globe. Many banking Trojans seem to come and go, while others leave a reputation that will forever be burned into the psyche of security analysts, such as Carberp, Citadel, Spyeye and of course, Zeus.

Few Trojans, however, have gained the level of notoriety and worldwide attention of Dyre, a piece of malware that relies heavily on social engineering to launch attacks. The level of cunningness and deception used by this particular threat is responsible for over 1 million dollars in losses in the financial sector between March and April. What makes this particular piece of malware troubling is the complexity of social engineering involved in the attack; the attack is multi-faceted, with rapidly evolving evasion techniques, and unlike many banking Trojans that target individual users, Dyre targets banking institutions as a whole!

Dyre first burst onto the scene as a fairly simply Remote Access Trojan (RAT) in mid-2014. Since then, security analysts have traced Dyre's mutation into different variants that have introduced new infection and evasion techniques to create bots out of Microsoft Outlook accounts, which then used social engineering to collect personally identifiable information (PII). Reports as recent as last month indicate that the malware was even able to add a sandbox evasion technique! In this article we will explore the evolution of this particular piece of malware, how the attack has been so successful, and what can be done to eliminate this threat from your environment.

As mentioned, while Dyre first captured the public's consciousness as a rather basic RAT in Mid-2014, security experts now believe that the malware may be one of the most effective Trojans in recent memory (and very likely the cause of the $5.5 million in financial losses for RyanAir), the source of this threat seems to stem from a private and well-funded group of hackers out of Eastern Europe. IBM researches even credit the Dyre Trojan as the top malware offender for Q1 of 2015.

Image Courtesy of IBM Security

Socially engineered attacks have shown organizations that they are only as strong as their weakest resource: their employees. Professionals with all types of job titles and backgrounds have fallen victim to phishing attacks that prey on our curiosity, insecurities, needs and desires. In order for Dyre Wolf to socially engineer millions of dollars out of financial institutions, the malware must discover and take avenues that allow the threat to position itself onto a host, unbeknownst to the user. In early 2015 Trend Micro Labs identified two new evasion techniques of this piece of malware:

  • Usage of SSL protocol to hide data being transmitted to and from the Command and Control Servers (C&C)
  • Using a 12P address to mask the location of the CnC Server

Dyre Attack Process:

Fast forward to April of this year and the research and intelligence report done by IBM's Managed Security Services and Emergency Response Services and the malware has evolved several times more, introducing DDoS attacks and extremely advanced social engineering to bypass 2 factor form authentications. So how does this attack work?

Image Courtesy of IBM Security

1) Spear Phishing

  • The attack vector is a simple email attachment, encouraging the recipient to open the attachment and download the file within.
  • Typically inside the zipped attachment is a file masquerading as a PDF, but is actually a .EXE or .SCR file. To the human eye the file looks exactly like a PDF and to make things worse the default Windows Behavior is to hide the extension of known files!

2) First Stage Malware Executed

  • The file perpetrating as a PDF is a malware known as Upatre (pronounced like "Up a tree")
  • The sole purpose of this malware is to download the Dyre
    • The malware contacts checkup.dynds,org to determine the public IP address of the endpoint it has found itself on
    • After confirming access to the internet, Upatre reaches out to the C&C server and downloads the malware from a varied list of domains and changing file names.

3) Second Stage Malware Executed

  • Once the Dyre is downloaded Upatre removes itself, and all actions past this point are done via Dyre, which then runs a series of different steps to remain concealed to the host/victim:
    • As a part of the installation service, Dyre creates a service named Google Update Service, it is set to run every time the system restarts. Once restarted Dyre injects malicious code into SVCHOST.EXE, stopping the Google Update Service

    • Dyre makes multiple connections to 12P nodes to create a peer-to-peer tunneling network. Masking what and where information is being sent to

    • Past that point Dyre hooks into the victims browsers, listening in to any credentials entered to visit a targeted bank's site

    • If Dyre detects Outlook is installed, it will look to send emails with the Dyre payload to contacts in order to create a bot farm of diseased endpoints

4) Victim tries to log into a targeted banking account

  • Dyre monitors the activity of the compromised endpoint, and the second the user navigates to the targeted banking site, the malware will redirect the request through a proxy server over to Dyre's server.
  • The user will be shown a fake replica of the Bank's site and be prompted to fill in information used to steal money out of the account

5) The Phone Call

  • In advanced variants of the attack, users are told to dial into a number to speak with what they believe to be a bank employee. In reality they are speaking to a member of this hacker ring and find themselves willingly handing over PII that can be used to bypass 2 form factor authentication.

6) The Wire Transfer

  • Once all the necessary information is collected, the cyber-ring begins the heist, bouncing portions of the bounty across multiple offshore accounts to evade detection.


  • Once the money has been collected, DDoS attacks are used to distract or hinder the investigation.

How You Can Prepare for Dynamic Malware:

Fast forward to May of this year, and Seculert's CTO Avi Raff reports new findings that Dyre is now able to evade sandbox detection simply by detecting the number of cores on the endpoint it finds itself on; deleting itself if only one core is detected. This is only one common method of evading sandbox detection, and it is possible that Dyre has evolved to have backdoor detection and registry artifact techniques to discover that the malware is in a virtualized environment. So now that we know what Dyre is and how it operates, for now, what can we do to stop it? The first and most obvious step is better training for employees in your organization. Your staff accountant is as likely a target as your CTO and a lack of training should not be the reason for an attack in today's day and age. Other areas where organizations can shield themselves from such an attack include:

Click to Enlarge

Click to Enlarge

The success of Dyre Wolf indicates the changes required in the Cyber Security Industry. As malware mutates and evolves to evade the defenses raised to catch them, so must the tools of cyber security specialists. Symantec's Sr VP for InfoSec was only partially right when he said AV is dead, the use of one scanning engine is dead. The table above highlights this fact as the first two AV engines to detect the new variant of Upatre are not household names; the same was true for Stuxent and a whole host of viruses and malware.

End users inspection of data should not be limited to only what McAfee thinks of a file, but what vendors in AIPAC, Western and Eastern Europe, and beyond know of a file. End users should also not have to rely on a single heuristic agent but multiple agents working in parallel thoroughly examine every line of code in a file seeking out any set of characters that could be a threat.

OPSWAT's Metascan offers clients with the ability to scan with 30 engines on premises, or 40+ in the cloud with a truly private API. Through the aggregation of multiple engines, Metascan delivers higher detection rates for known and unknown threats. Metascan can serve as one tool in a layered security architecture and can be placed in front of a Sandbox or with a behavior analytics tool like RSA's E-CAT. The threat landscape is only growing in size and diversity of attack, will you secure the tools to protect your organization?

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.