Highly adept trojan malware that is operated remotely, conceals itself from detection and allows fraudsters to transfer large sums of money from victim accounts is a growing, serious threat in the financial industry.
According to malware experts speaking at a session at the recent RSA security conference, remote access trojans (RATs) such as Dyre and Dridex are complex and combine many features of older malware to hide their presence in a user's device or computer.
They are directly controlled remotely by criminals, and use authentic-looking “social engineering” messages to lure victims into providing access to their accounts.
According to Uri Rivner, head of cyberstrategy at BioCatch, RATs such as Dridex take an average of 31 minutes to detect and the average amount they transfer from a single account is $26,000. Such amounts are far greater than what has been seen in the past with banking malware, he said.
Dridex, Dyre, Dyreza and other variations on this form of trojan are relatively new – Dyre and Dridex first came to notice in 2014, principally targeting European institutions. In the following months attackers have made the trojans more complex, adding supporting infrastructure to make them even more surreptitious and effective.
Fraudsters
Rivner said that while standard fraud detection systems miss the trojan, they’ve been able to spot it in action and understand how fraudsters are utilising it by tracking the movement of the mouse cursor in the browser when the bank’s website is being accessed by attackers.
Rivner showed animations of the victim’s cursor activities, which show that cursor movements shift from even horizontal movements by the victim, to jerky, vertical movements of the attacker’s cursor, which occur while the victim goes off to look at a different webpage.
“The whole hand and eye coordination is off,” he said, with an immediately noticeable difference between the user and attacker.
“So, we can look at the [user] session and think, hey, have we seen this user before, or is there some anomaly indicator?”
In one Dyre-based fraud case at a top-25 US bank, the attack came from the user’s device. “You could compare the user’s activity [by tracing cursor movements], and it was very different between four days in January 2015.”
Rivner said it looked almost as if the user did not have control of the mouse.
In this attack, a link on the page was clicked, but not by the user. Then, the user went away from the bank’s website for about three minutes. Rivner said this was because Dyre spoofs the user into visiting a fake site to enter sensitive information, while Dyre changes the user’s phone number contact for the bank, enabling the attackers to use that new number to fool the bank into thinking they are the user.
Yet that single click, and brief three-minute break from the website, “was the only thing about that session that was a little bit strange”. The fraud happened weeks later, in June, when a large amount of money was transferred from the account.
In this second phase, the jerky vertical movements of the cursor were the only trace of the attack – “the Dyre operator inside the victim’s computer, almost like a digital signature from the operator”. Yet to the bank, the session appeared to be a normal interaction from the victim with the bank.
“The social engineering of Dyre is perfect,” Rivner said. “It looks like a normal interaction. The bank was surprised, and said everything about these attacks was different, except for the ‘signature’ of the criminal. That same person kept coming back for more and more attacks.”
In another attack, at a top- five British corporate bank, the user received a spoof social engineering message asking which type of device the owner was using to contact the bank.
Fake website
The user was then sent to a fake Dridex website to enter information. As with Dyre, sending the victim to a separate website makes the attackers harder to track, he said.
“The gamechanging part of the new malware is that they use remote access to actually do the fraud, to move money. This is a cloaking device. Dridex and Dyre both redirect people to a fake website and do the social engineering there,” Rivner said.
In another case, at a top-five wealth management bank in the UK, the attackers rang the victim, told him he had a virus, then told him to go to Google and get and install TeamViewer – widely used remote access software – that lets the attackers gain control of the victim's computer.
They then told the user to go get some coffee and relax while they “ran some tests” to get rid of the virus. Again, on the actual bank site, it appears as if the victim has logged in. “But two minutes in, something changes. Activity gets very erratic.”
Attackers then transferred a significant sum of money from the victim’s account.
Dyre and other RAT attacks can happen anywhere now, said Rivner, on either PCs or mobile devices.
In mobile attacks, fraudsters can remotely lock a device. Though the attackers are at a remote computer, they only need to open the banking application in a browser, without needing the victim’s login details, because the bank site thinks the contact is coming from a trusted device. “You don’t even have to log in. Then you just move money.”
Rivner, who says Dridex is becoming the most dangerous trojan, cautioned these RATs signal “a gamechanging moment”, as they “neutralise the usual anti-fraud controls”.