CERT-In Warns of Banking Trojan DyrezaNew Malware Targets Online Banking Credentials
CERT-In has issued an alert against a new banking Trojan dubbed Dyreza, which targets users of online banking services. The malware infects Microsoft Windows-based systems and propagates itself through phishing and other social engineering techniques.
In its alert, CERT-In warns that the Trojan has the ability to bypass SSL protection using browser hooks, captures keystrokes and can perform man-in-the-middle attacks to intercept network traffic. The malware has the ability to make itself persistent on the infected system. Dyreza a.k.a. Dyre, has over 10 variants and uses SSL encryption to communicate with the command & control server. CERT-US released a brief, similar notification on October 27.
"Variants of the new banking Trojan are spreading," cautions the CERT-In advisory. However no known infections have been reported in India so far. In the U.S., Dyreza has been known to target customers of major banks such as Bank of America and JPMorgan Chase. It has also been customized to target Salesforce user accounts by targeting Salesforce's SaaS application.
"Dyreza has both similarities and difference to the (in)famous Zeus malware. It has been crafted to capture online banking credentials from the unencrypted web traffic by browser hooking for IE, Chrome, Firefox," shares the CISO at a leading private sector bank.
While all major endpoint protection vendors have released signatures for this malware, the potential issue is whether this attack can circumvent two factor authentication, in which case, the impact can be significant, the CISO says.
Nitin Bhatnagar, Head- Business Development APAC and EMEA at Bengaluru-based SISA, a compliance services and training provider, believes that the threat from this Trojan is not directly to banking infrastructure, as the malware sits at the endpoint. Further, he adds, if the endpoint is compromised, the liability is to the customer and not the bank.
"Dyreza is nothing but a sophisticated phishing campaign," he says. The strategy by which this malware is spreading is by enticing victims through well-targeted campaigns and payloads, customized on a granular level.
While the CERT-In alert advises system patching, attachment blocking, mail screening and script disabling etc., experts express concern that this might not be enough.
Dr. Onkar Nath, ex-CISO Central Bank of India and a leading security strategist, says online banking transactions in India are happening through SSL (https), which is bypassed by this Trojan. "This Trojan infects the end-points, wherein controls are minimal, giving rise to a high probability of exploitation," he says.
He believes that Indian banks need to look beyond SSL, which has already been broken, and can consider enforcing Transport Layer Security or SHA3 to overcome Dyreza's capabilities. "Controls need to be implemented at the Web server level by disabling SSL and introducing TLS only," he says. Indian banks need to take SSL compromises more seriously, but this is not something that is seeing a lot of traction yet in India.
Experts say that OTP through out-of-band communication will help in addressing the threat to some extent and minimize exposure.
Awareness is Key
The response to Dyreza is the same as for other malware, says Dr. Nath. Users must beware of clicking on mails and attachments from unknown sources. Awareness is the most important tool for bank customers. He believes Indian banks are lacking here, as no timely advice is shared with customers. "Quick response in generating awareness is the best tool to deal with these attacks," he advises.
Bhatnagar of SISA concurs, urging financial institutions to come up with targeted and timely awareness programs to counter the tactics used in these elaborate phishing campaigns.