IBM Spots New Malware Attack, the Dyre Wolf

April 3, 2015         By: Steven Anderson

For cybersecurity professionals, the word “Dyre” isn’t just a cause to cringe at the terrible spelling, but rather a cause to cringe at the sheer amount of damage done so far.

IBM Security, meanwhile, has been following the progress of Dyre, the name of a strand of malware for some time, and in the process uncovered a new variant that’s already successfully cleared the seven-figure mark for thefts.

Dubbed the Dyre Wolf, this has actually managed to prove the vulnerability of two-factor authentication thanks to some potent social engineering.

The reports suggest that Dyre Wolf has managed to take between half a million and $1.5 million from organizations in recent incidents, so it’s accomplished quite a bit in a comparatively short period of time.

Dyre normally focuses its attacks on businesses, and was previously regarded as a comparatively simple piece of malware. Dyre’s recent evolution to Dyre Wolf, meanwhile, has given the tool not only greater power but also a greater ease-of-use factor, meaning that it can rake in bigger paydays.

Dyre has been on the rise since its launch in 2014, going from 500 instances to nearly 3,500, a pretty substantial gain. Dyre gets its initial infection capability thanks to the Upatre malware using what’s known as a “spear-phishing” email, though it can also be part of a complete distributed denial of service (DDoS) attack, making it useful on a variety of fronts.

The biggest target for Dyre and Dyre Wolf users are large-scale organizations that use wire transfers routinely to send large sums of money.

Since the majority of antivirus tools can’t detect Dyre or Dyre Wolf as yet, that makes it a particularly powerful weapon against a company. Dyre is programmed to monitor several bank websites and, when a victim goes to log into one of these sites, it instead puts up an image explaining that the website is experiencing some technical difficulties.

Users are then advised to call a number to get “help logging in,” which is of course malware talk for “give us your login information so we can start plundering like 16th-century pirates.”

The intended wire transfer goes on a circuitous journey so as to throw law enforcement off the trail. Often, a high-volume DDoS attack follows as a means to cover the trail.

Insidious, clever, downright horrifying; call it what you will, but it’s clear that Dyre Wolf is a powerful and particularly nasty piece of work that could do a lot of damage.

What can be done to protect against this problem? Well, one fairly easy thing to do is to not fall for the social engineering part of things. Calling the number on the screen is a poor path; instead, if you suspect that there are issues logging into a bank’s website, call the bank directly using a more established number to ask about the issues.

If the bank can’t confirm any problems, then it’s a safe bet that there’s something lurking on your device.

Of course, it’ll help when the antivirus software can detect it, but in this case, it seems to be a nice combination of factors that helps out here; the antivirus systems to catch the virus coming in, and some astute strategy of social engineering to catch the virus trying to get out and do its true damage.