February 8, 2016

Trojan.Dyre became notorious in 2015. Two months have past since law enforcement authorities carried out a large-scale operation in order to capture a gang responsible for the Trojan.Dyre distribution. However, this Trojan has come into light once again. Mass media claims that the malicious program that threatened financial organizations all over the world since summer 2014 is eliminated. Yet, law enforcement agencies are not so eager to announce about their success.

Doctor Web specialists have been keeping a close watch on the Trojan.Dyre distribution and examining its infrastructure. It is noteworthy that this malicious program is a “classic” example of how the CaaS (crime-as-a-service) model is carried out. The “clients of this service” received a builder that was used to generate a sample of the Trojan. Thus, its signature could be changed very often, which made it almost invulnerable for anti-virus software. All collected information stored on the infected device was sent to the C&C servers. The information was then processed and located on an administration panel accessible to those “users” that had paid for it. This panel was divided on several parts, such as botnets management and log-based search. Besides, there were several groups of panels. Incoming data could be filtered depending on the information cybercriminals wanted to get—for example, logins and passwords, and so on.

According to Doctor Web specialists, Trojan.Dyre’s infrastructure is rather unique because it is much more complicated in comparison with other notorious financial malware programs. In most cases, information from compromised machines was sent to the server where a bot control panel was located. However, Trojan.Dyre’s developers implemented various technologies, which proved that the gang had considerable financial and human resources. At that, servers that processed information received from bots were written in .Net, and botnets administrator panels—using the Kohana php framework. To store and process data arrays coming from any spot of the Earth, they used the postgres and mysql bases, and sphinx, a full text search server. All incoming information was assigned to special filters so that cybercriminals could quickly find any information they were interested in—for instance, logins, passwords, bank card numbers, users’ personal data, and so on. To complicate the detection of the servers, Tor servers and proxy servers associated by implementing openvpn were used. A key feature of Trojan.Dyre’s attack was that it located first proxy layer on hacked routers whose routing table was modified. Wi-fi routers were hacked by brute-forcing passwords since users often do not change default settings of their routers, and some victims do not even think that routers can be somehow used to infect their machines.

Nevertheless, Doctor Web analysts managed to identify several addresses of the Trojan’s C&C servers. Moreover, they revealed elements of the Trojan.Dyre infrastructure and intercepted some incoming connections from infected machines. Thus, our specialists timely provided several European banks and law enforcement agencies of some countries with important information.

In spite of materials published by mass media, Doctor Web security researchers believe that Trojan.Dyre still poses a threat as they regularly register spam mailings containing samples of this Trojan, which proves that some servers of its infrastructure are still active. Therefore, this story is more likely “to be continued”.