Trojan Focuses on Europe, North America

Friday, June 5, 2015 @ 10:06 AM gHale

The amount of attacks from the Dyre banking Trojan increased by 125 percent in Q1 this year, researchers said.

The increase in Dyre infections found 9,000 compromises in the first quarter of the year, compared to 4,000 recorded in the last quarter of 2014, said researchers at Trend Micro. While this is a banking Trojan, all industries, including the manufacturing automation sector, should be aware of similar types of attacks.

Social Networks: Moose on the Loose
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole
Cisco Video Conference Vulnerabilities

The group behind the malware started to expand its activity globally and deployed a new malicious email campaign with a new variant of the threat, delivered by a fresh strain of Upatre downloader.

In the first week of May, researchers saw a rise in the spam volume directed to individuals in Asia Pacific countries, 44 percent of the emails sent to this region.

During the same interval, 39 percent of the emails targeted users in Europe and 17 percent those in North America. However, telemetry data from the company shows over the last three months, Europe and North America represented the interest of cybercriminals, the two regions receiving 39.48 percent and 37.84 percent of Dyre-related spam, respectively.

Trend Micro said in a blog post “since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.”

Dyre goes out via spam email pretending to be a financial communication the recipient has to address immediately. Researchers said JPMorgan Chase customers are the intended victims.

The message comes with a malicious file in the attachment. The fake document delivers Upatre, which, in turn, delivers Dyre banking Trojan.

The latest variant of Upatre downloader gained new capabilities that allow it to bypass detection from firewalls or other network-related products on the system, researchers said. This can happen by changing registry entries, terminating services and disabling Windows Defender, the default antivirus on Windows.