Indusface Total Application Security – Security Bulletin on Dyreza and TrickBot Banking Malware

What are Dyreza and TrickBot?

Dyre malware (Dyreza) is considered to be one of the most dangerous and powerful banking Trojans with injection capabilities. Security experts estimated that users of more than 1000 financial institutions have fallen victim of the threat. This malware uses technique of mutation engine, which will change itself in every environment hence difficult for antivirus to catch. TrickBot, a newer banking trojan is likely an improved version of Dyre. TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

CVE Details

• CVE-2015-0057 (Targeting CVE) 

What are the risks?

Attackers can spread these malware through web injection or browser. Downloaded content from phishing emails and DropBox can also contain this trojan. Once they infect a Windows system, they allow attackers to carry out Man-in-the-Middle (MITM) attacks comprising SSL certificates. These trojans also notoriously steal banking and cloud service credentials. 

At Risk:

• Microsoft Windows Server 2003 SP2

• Microsoft Windows Vista SP2

• Microsoft Windows Server 2008 SP2 and R2 SP1

• Microsoft Windows 7 SP1

• Microsoft Windows 8

• Microsoft Windows 8.1

• Microsoft Windows Server 2012 Gold and R2

• Microsoft Windows RT Gold and 8.1    

What are the warning signs of infection?

Once installed, the malware interacts with C&C server so you might find unusual usage of bandwidth and active connections with unknown remote servers in China or Russia.

What are the countermeasures?

Please ensure that your Windows system uses the latest update or patch only. Do not download attachments from suspicious emails. Avoid clicking on random ads or downloading pirated software.

Am I protected with Indusface Total Application Security?

Malware Monitoring is part of Indusface Total Application Security (TAS) and the TAS scanner will be able to detect if your website has Dyreza and TrickBot Malwares.