Unfortunately, it turns out that rumors of Dyre’s death were greatly exaggerated. Not long after the company was forcibly closed and their computers impounded, a new threat emerged, this one called TrickBot.
Based on research and forensic analysis conducted by a number of digital security firms, the conclusion is that TrickBot is the direct successor of Dyre, and likely has at least one of Dyre’s developers at the helm, directing the new effort.
Over the past year, TrickBot rose from relative obscurity to become the eighth most successful banking Trojan on the web, currently accounting for three percent of all detections, and its growth continues at a blistering pace.
What makes TrickBot interesting is its sheer versatility. Not only is it configured to be devastatingly effective against banks, but examples have been found in the wild of TrickBot being used successfully against CRMs (Customer Relationship Management), and even Paypal, with researchers discovering 35 spoofed login screens for 35 different Paypal URLs in multiple countries.
Even worse, the number of countries TrickBot has been found in also continues to expand.
Initially, the software was used almost exclusively in Russia, but has expanded to include banks in Bulgaria, Singapore, India and the Netherlands.
What makes TrickBot interesting is that it utilizes an extremely complicated social engineering attack to plant its destructive payload. It requires the target user to open an email, download a PDF, open the PDF and then click on a link which opens a word file to enable macros.
Given so many hoops to jump through, one might imagine that almost no one would fall for it, but surprisingly, the opposite is proving true. It seems that because of all the hoops, no one suspects that it could be an attack, because to date, most attacks have been much more straightforward.
In any case, given its rapid spread and growth, it bears watching, so be sure your IT staff is aware.