A Remote Access Tool called ‘Dyre’ can circumvent encryption
Online banking customers in the UK are being attacked using a previously undocumented Remote Access Tool (RAT) malware family, codenamed “Dyre”.
The new strain was discovered by security researchers from PhishMe, who say it is used to steal login details, circumventing SSL encryption and two-factor authentication through a technique known as “browser hooking”.
Judging by the code, Dyre currently targets the customers of Citigroup, Bank of America, Royal Bank of Scotland and its subsidiaries NatWest and Ulster Bank.
The infection starts with a phishing email, seemingly originating from a bank. It includes a link to an archive file, sometimes hosted on a legitimate cloud storage service. Once the user tries to open the file, malware infects the system and starts communicating with a control server.
If the user then attempts to log into one of the popular online banking services, their data is sent to the attacker without setting off any alarm bells.
“Here’s the kicker. All of this should be encrypted and never seen in the clear. By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attacker’s page,” explained Ronnie Tokazowski, senior researcher at PhishMe.
He added that the new malware is highly packed and obfuscated, which often prevents it from being detected by popular anti-virus solutions.
“Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a ‘Flash Player update’,” he warned.
While the threat signatures are being exchanged, online banking users are advised to be extra careful with their emails and not click on suspicious links leading to archives or applications.
How well do you know network security? Try our quiz and find out!