CERT-In Warns of Banking Trojan Dyreza

New Malware Targets Online Banking Credentials
CERT-In Warns of Banking Trojan Dyreza

CERT-In has issued an alert against a new banking Trojan dubbed Dyreza, which targets users of online banking services. The malware infects Microsoft Windows-based systems and propagates itself through phishing and other social engineering techniques.

See Also: Gone Phishing: Strategic Defense Against Persistent Phishing Tactics

In its alert, CERT-In warns that the Trojan has the ability to bypass SSL protection using browser hooks, captures keystrokes and can perform man-in-the-middle attacks to intercept network traffic. The malware has the ability to make itself persistent on the infected system. Dyreza a.k.a. Dyre, has over 10 variants and uses SSL encryption to communicate with the command & control server. CERT-US released a brief, similar notification on October 27.

"Variants of the new banking Trojan are spreading," cautions the CERT-In advisory. However no known infections have been reported in India so far. In the U.S., Dyreza has been known to target customers of major banks such as Bank of America and JPMorgan Chase. It has also been customized to target Salesforce user accounts by targeting Salesforce's SaaS application.

End-points Impacted

"Dyreza has both similarities and difference to the (in)famous Zeus malware. It has been crafted to capture online banking credentials from the unencrypted web traffic by browser hooking for IE, Chrome, Firefox," shares the CISO at a leading private sector bank.

While all major endpoint protection vendors have released signatures for this malware, the potential issue is whether this attack can circumvent two factor authentication, in which case, the impact can be significant, the CISO says.

Nitin Bhatnagar, Head- Business Development APAC and EMEA at Bengaluru-based SISA, a compliance services and training provider, believes that the threat from this Trojan is not directly to banking infrastructure, as the malware sits at the endpoint. Further, he adds, if the endpoint is compromised, the liability is to the customer and not the bank.

"Dyreza is nothing but a sophisticated phishing campaign," he says. The strategy by which this malware is spreading is by enticing victims through well-targeted campaigns and payloads, customized on a granular level.

Remediation Advice

While the CERT-In alert advises system patching, attachment blocking, mail screening and script disabling etc., experts express concern that this might not be enough.

Dr. Onkar Nath, ex-CISO Central Bank of India and a leading security strategist, says online banking transactions in India are happening through SSL (https), which is bypassed by this Trojan. "This Trojan infects the end-points, wherein controls are minimal, giving rise to a high probability of exploitation," he says.

He believes that Indian banks need to look beyond SSL, which has already been broken, and can consider enforcing Transport Layer Security or SHA3 to overcome Dyreza's capabilities. "Controls need to be implemented at the Web server level by disabling SSL and introducing TLS only," he says. Indian banks need to take SSL compromises more seriously, but this is not something that is seeing a lot of traction yet in India.

Experts say that OTP through out-of-band communication will help in addressing the threat to some extent and minimize exposure.

Awareness is Key

The response to Dyreza is the same as for other malware, says Dr. Nath. Users must beware of clicking on mails and attachments from unknown sources. Awareness is the most important tool for bank customers. He believes Indian banks are lacking here, as no timely advice is shared with customers. "Quick response in generating awareness is the best tool to deal with these attacks," he advises.

Bhatnagar of SISA concurs, urging financial institutions to come up with targeted and timely awareness programs to counter the tactics used in these elaborate phishing campaigns.

About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.