Malware now targeting Australian users could be based on one of the world's worst banking trojans.
Fidelis malware mangler Jason Reaves says the TrickBot malware has strong code similarities to the Dyre trojan, a menace that ripped through Western banks and businesses in the US, the UK, and Australia, inflicting tens of millions of dollars in damages through dozens of separate spam and phishing campaigns since June 2014.
Dyre stole some US$5.5 million from budget carrier Ryanair and fleeced individual businesses of up to $1.5 million each in substantial wire transfers using stolen online banking credentials.
Dyre's rampage eased off last year culminating in its death in November 2015 and the arrest of alleged authors in February 2016 raids across Moscow.
Now one or more members of the Dyre gang appear to be back in the malware business and targeting Australian banks including Westpac, ANZ, NAB, and St George.
Dyre and TrickBot use some of the same malware componentry, a similarity Reaves calls "staggering". The small changes between the two malware apps code appear to be upgrades, rather than core code.
The researcher points to similarities include loaders and custom encryptors, along with close but not identical hashing, and what appears to be an upgraded command and control encryption mechanism.
"[Similarities] would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations," Reaves says.
"... it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot, but that there is considerable new development that has been invested into TrickBot.
"With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot."
Reaves says TrickBot developers are rebuilding their Cutwail botnet to prepare for upcoming spam runs in which the malware will be spread.
"It’ll be interesting to see if TrickBot can reach or pass its predecessor," he says. ®
Sponsored: Ransomware has gone nuclear