Nobody can accuse trojan coders of being lazy; the masterminds behind the Dyre banking malware are putting in full five-day working weeks to maintain some 285 command and control servers handling stolen banking credentials.
The malware is one of the worst in circulation using its fleet of command and control servers to handle the reams of bank account data blackhats steal using phishing websites.
Symantec says the attacks are confined largely to Europe outside of Russia and Ukraine where most of the command and control servers are located.
"A significant upsurge in activity over the past year has seen Dyre emerge as one of the most dangerous financial trojans, capable of defrauding customers of a wide range of financial institutions across multiple countries," Syamantec says in its Dyre report [PDF].
"Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers.
"It is a multi-pronged threat and is often used to download additional malware on to the victim’s computer. In many cases, the victim is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat further afield."
Symantec's Threat Intel team says Monday is the busiest day for the Dyre VXers.
Attackers have established 21 IP addresses for man-in-the-browser attacks, 14 for malware module distribution, and two for additional payload delivery.
It contains at least eight anti-analysis tricks to fool white hat researchers including anti- emulation and debug, host and network -based encryption, and various server-side "tricks".
At least 1000 websites have been setup to emulate British and US financial organisations, and banks in Australia, Germany, and France. ®