Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Report: Dyre Crackdown in Moscow

Notorious Banking Malware Attacks Suddenly Ceased, Report Says
Report: Dyre Crackdown in Moscow

Have Russian authorities collared the cybercrime gang responsible for the notorious Dyre banking malware?

See Also: Close the Case on Ransomware

In November 2015, Russian authorities raided the offices of production company 25th Floor, after which all activity tied to Dyre ceased, reports Reuters, citing three unnamed sources with knowledge of the investigation. But the news service adds that, as yet, there has been no confirmation that the raid and the malware disruption are directly connected.

Neither Russia's Ministry of Internal Affairs or Federal Security Service - known as the FSB - immediately responded to a request for comment on the November 2015 raid report and whether they targeted suspected Dyre developers or users.

Multiple information security firms, however, report that Dyre attacks have indeed ceased since the raid. "In November 2015, we observed Dyre distribution campaigns and control infrastructure become inactive," iSight Partners says in a research note, noting that a dozen alleged members of the Dyre gang were reportedly targeted by Russian authorities. "It remains unclear at this time who the actors are and what connection they have to Dyre. Dyre operations have remained offline since this raid, opening the possibility that it has been permanently shut down, which is notable because of the malware operation's extensive impacts on the financial sector and other industries."

Dyre operations went quiet at the end of November, says Andy Chandler, a senior vice president for European security vendor Fox-IT. "It's clear to us there has been a move by Russian officials to bring Dyre to a stop for the time being," he says. But the disruption of the malware itself may be temporary, since "we also know that the source code of Dyre is out in the wild" and thus could be adopted by other groups.

Regardless, the current disruption is notable because Russian authorities historically have cracked down only on malware-using gangs that attempt to exploit targets in Russia or the former Soviet Union (see Russian Cybercrime Rule No. 1: Don't Hack Russians). Indeed, Dyre had no victims in Russia, says Eugene Kaspersky, who heads Moscow-based information security firm Kaspersky Lab, via Twitter. "Coincidence? Don't think so," he said.

Kaspersky was responding to research into the Dyre takedown, which was presented Feb. 8 at the company's Security Analyst Summit in Tenerife, Spain, by Peter Kruse, a partner and electronic crime specialist at Danish security firm CSIS. Full details of that presentation remain forthcoming. A spokeswoman for Kaspersky Lab declined to comment on the Dyre crackdown, despite reports that the company assisted authorities, noting that it "does not comment on any law enforcement investigations."

Web Injection Attacks

The Dyre - a.k.a. Dyreza, Dyzap, and Dyranges - malware first appeared in June 2014, when it was tied to attacks that compromised online banking credentials for customers of JPMorgan Chase (see Alleged Bank Hack Tied to Phishing?). According to security firm Dell Secureworks, the malware was being propagated via spam - sent via the Cutwail botnet - that redirected victims to Dropbox or Cubby file-sharing services, where a copy of the malware was located.

But Dyre has since been used to target numerous U.S. banks, including Bank of America, and is believed to be tied to tens of millions of dollars in losses (see Banking Trojans Retooled for Data Mining). In April 2015, for example, IBM warned that a Dyre variant - known as Dyre Wolf - was targeting more than 200 banks, and that it was the most pervasive banking malware to hit its customers in 2015.

Like many other types of banking malware, if Dyre successfully infected a PC, it then attempted to steal online banking credentials. The malware could also use Web injection techniques, allowing attackers to alter the appearance of an online banking session, for example to show a fake balance and hide attackers actively transferring funds out of a victim's account (see Banking Malware: Big in Japan).

Dell Secureworks says more recent versions of Dyre had Web injection presets designed to target more than 400 different banks.

Botnet: The Movie

What's also unclear about the November 2015 report, however, is how Moscow-based production company 25th Floor might tie in. The company didn't immediately respond to a request for comment. But according to its website, it's developing a "cyber thriller" film called Botnet, which lists David Kaplan as the writer and director, and that it's a U.S.-Russian co-production.

Reuters reports that the story is loosely based on the 2010 case of Operation ACHing Mule, in which U.S. authorities charged 37 suspects as part of 21 separate investigations, and U.K. authorities charged 11 people.

The name of the operation alludes to the attackers having allegedly committed Automatic Clearing House fraud, as well as used money mules to help cash out their attacks. Authorities said an Eastern European gang used Zeus banking malware to infect victims' PCs.

Ilya Sachkov, CEO of Moscow-based information security firm Group-IB, tells Reuters that his firm was hired to consult on the movie - and help guide its depiction of real-world cybercrime - and met with 25th Floor CEO Nikolay Volchkov multiple times. Neither could be immediately reached for comment.

Executive Editor Tracy Kitten also contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.