'Dyre Wolf' Malware Campaign Employs Social Engineering to Steal from Organizations

IBM has uncovered a sophisticated malware campaign that uses malware, spear-phishing emails, social engineering tactics, and DDoS attacks to target enterprise organizations. In a recent article published on the Security Intelligence blog, John Kuhn, Senior Threat Manager with IBM Managed Security Services, explains that the campaign, which is able to evade two-factor authentication measures, has thus far cost organizations upwards of $1.5 million.

“Since its start in 2014, Dyre has evolved to become simultaneously sophisticated and easy to use, enabling cybercriminals to go for the bigger payout,” Kuhn said.

Recently, Alex Chiu and Angel M. Villegas, a threat researcher and malware research engineer with the Talos Security Intelligence and Research Group at Cisco, published an analysis of how Dyre has enhanced its capabilities over time. Among other things, the two researchers examined how Dyre’s latest versions employ a domain generation algorithm (DGA) that better allows attackers to anonymize their infrastructure and evade detection. The Dyre Wolf campaign works by first targeting employees of enterprise organizations with spear-phishing emails. These emails contain unsafe attachments which if clicked will download Dyre to the victim’s computer. “This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees,” explains Kuhn. “IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.” Once installed, the malware awaits for the user to visit a banking website, at which point it displays a screen informing the user that the site is down and that they should call a number for assistance. Victims who call the number are patched through to an English-speaking operator who already knows what bank they use. These fraudsters then try to elicit the victim’s banking details, at which point they initiate a wire transfer out of the user’s account. It is the use of an operator for social engineering purposes that makes this particular malware campaign so unique, explains Caleb Barlow, Vice President of IBM Security. “What's very different in this case, is we saw a pivot of the attackers to use a set of social engineering techniques that I think are unprecedented,” said Barlow. “The focus on wire transfers of large sums of money really got our attention.” After the transfer is complete, the attackers then move the money around from bank to bank, at times even deploying DDoS attacks against target companies in order to evade detection. Anti-virus software can do only very little to protect against the Dyre Wolf campaign. As a result, in addition to implementing best security practices in their organizations, organizations are encouraged to offer securing training for their employees, initiatives which should include lessons on how to spot a phishing email.