Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure and monetization capacity. Progress has been noticed in two differents fronts:
- Expand the botnet geographical area: The binary spread is done through spam campaigns with malicious attachments. At first these were limited to English-speaking countries, but have expanded their reach.
- Incorporation of new banks: DYRE configuration is done via the usual file that lists the banks where the Trojan must act. As has been expanding the area of influence of the botnet, the list of entities has also experienced an increase, as shown in the following chart
On this growing dynamic was just a matter of time that Spain, so far outside the campaign, entered the list. The latest version of the configuration file was distributed a few days ago; it can be seen as at least five Spanish banks and others in Colombia, Chile and Venezuela have been included for the first time.
The countries currently targeted by criminals are reflected in this map (Click to see the animated GIF):
While its behavior is similar to well-known Zeus, DYRE presents some interesting approaches to the fraud process deserve to be analyzed in an upcoming post :)