Dyre (aka Dyreza), one of the most widespread and effective financial Trojans to crop up in the last few years, is currently not an active threat.
In fact, spam campaigns distributing the Trojan stopped on November 18, and haven’t been resumed. This abrupt drop has been noticed by many information security companies, but it’s only now that we’re starting to hear about the likely reason behind it.
According to several Reuters‘ sources but still unconfirmed by official channels, in November the Russian authorities swooped down on the Moscow film distribution and production company 25th Floor and raided their offices. That occurrence was followed by the aforementioned drop.
But it’s still unconfirmed whether these two things are related. The Russian Interior Ministry’s cybercrime unit said they weren’t involved in the raid. Russia’s intelligence service FSB declined to comment and so did Nikolay Volchkov, the CEO of 25th Floor.
Interestingly enough, the company was at the time involved in producing a film called “Botnet,” which apparently loosely followed a real-life event , and has called in Group-IB, a Moscow-based computer security company, to advise on the technical details.
The Dyre Trojan first surfaced in mid-2014, and has fast become one of the most widespread banking malware around – it even surpassed the infamous Zeus Trojan. Its creators kept pace with technological advances, and continually increased the number of financial institutions whose customers it was able to target.
The malware didn’t target customers of Russian banks and those in the former Soviet Union, which was an indication that the criminals behind it are likely Russian. It is widely known in infosec circles that Russian law enforcement doesn’t get involved in takedowns of cyber crime gangs unless there are Russian victims.
Taking all this into account, it does seem strange that they acted now.
Kaspersky Lab, the Russian security company that allegedly helped the authorities with this takedown has yet to comment on the matter.
“Unless all of the key figures are arrested and major infrastructure seized, cybercrime groups can quickly rebuild their operations in the aftermath of a law enforcement swoop,” commented Symantec researcher Dick O’Brien.
“For example, an October 2015 operation against Dridex, one of the other major financial fraud Trojans currently in operation, appears to have had a limited impact on its operations. While one man was charged and thousands of compromised computers were sinkholed, the rate of Dridex infections did not abate following the takedown.”
“Early indications are that the operation against Dyre has been quite successful, with no sign of the group attempting to re-establish itself. Whether the threat will disappear entirely will become apparent in the coming months,” he added.
After all, Dyre’s source code has been leaked, and it could be easily picked up by other criminals.
Russian AV company Dr. Web says that Dyre still poses a threat as some servers of its infrastructure are still active.