Banking Trojans Retooled for Data MiningFox-IT's Driehuis on How Dyre, Dridex Can Help Track Behavioral Patterns
The evolution of malware is garnering attention from security researchers and law enforcement, as the off-the-shelf banking Trojans known as Dyre and Dridex have now been linked to the theft of massive amounts of corporate and personal data.
Eward Driehuis, a director at cybersecurity and threat-intelligence firm Fox-IT who was a featured presenter at Information Security Media Group's Fraud Summit Toronto this week, says cybercriminals are now using Dyre and Dridex to gather data that can help track patterns of human and corporate behavior, which might later be used to help attackers evade network intrusion detection (see Lessons from Gameover Zeus Takedown).
"What they seem to be doing is stealing large amounts of data off of infected bots," Driehuis says during this interview with ISMG. "What they are doing with that data, we're not quite sure. But they're collecting terabytes and terabytes of data off of infected machines. And now we've seen them starting to query these big piles of stolen data."
Driehuis says these queries have been focused on gathering information about businesses' and users' interactions with computers that have been infected with the Dyre and Dridex strains. "They're harvesting more and more data about people, which is interesting, because they are building up their data for later use; that's how it seems right now."
While Driehuis says researchers cannot definitively say what the purpose of this data collection is, he believes the data is being gathered to help cybercriminals figure out better ways to evade standard malware detection. By interacting with accounts and systems in ways that resemble real users, not bots, malware won't be detected by standard network intrusion systems, he explains.
"Malware today is evading typical malware detection," Driehuis says. "What the criminals have now done is devised a way of attacking banks by sending the sessions off to manual [human] operators. So the malware only catches the victim and passes credentials on to an operator. The operator then starts a completely legit session and conducts completely legit transactions. There's nothing strange about these transactons, there's nothing robotic to them and there are not any signs of malware in that session, because it's conducted on the criminal's computer, which is clean and operating perfectly."
During this interview, Driehuis also discusses:
- Why banks must focus more on event detection that correlates transaction data across numerous channels, rather than solely relying on malware detection;
- How hackers are adapting malware to facilitate their workflow; and
- Steps researchers and law enforcement are taking to track the rapid evolution of malware.
Driehuis is the director of the product management and marketing at Fox-IT, where he works with financial institutions, e-commerce companies and other corporate enterprises in the U.S., Europe, the Middle East, Asia and Australia. Before joining Fox-IT, Driehuis spent 18 years working as a chief technology officer and business director for various companies.