Security Advisor

'Dyre Wolf' Malware Steals Millions from Enterprises

Researchers at IBM have discovered an active attack campaign using a variation of the Dyre Trojan that has already stolen millions from organizations.

According to IBM, the campaign has used both malware and social engineering techniques to circumvent two-factor authentication security features of targeted enterprises. While the identities of those responsible are unknown, IBM Senior Threat Researcher John Kuhn said the group is well organized and talented.

"In this campaign, the attackers are several steps ahead of everyone," wrote Kuhn. "Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. It's also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware."

Kuhn said that those behind the Dyre Wolf malware are using spear phishing techniques in e-mails targeted at those inside specific enterprises for the initial infection. Once inside, the ring has been able to transfer between $500,000 and $1.5 million from victims. According to the report, all recent targets appear to be located outside the U.S. and have focused on organizations that regularly engage in large transactions.

While the variant of the Dyre Trojan appears to be new, IBM researchers have been following the root malware since its discovery in June of 2014. Since appearing on the scene, it has been used to attack high-profile targets including Citigroup, JPMorgan Chase and Bank of America. Its popularity among attackers has also exploded, with the infection rate increasing from 500 in June of last year to 3,500 by October.

IBM suggests that the best way to protect organizations from the Dyre Wolf and other variations is to increase user training and advise workers on safe online practices. However, Richard Blech, CEO of security firm Secure Channels, said that responsibility of avoiding this attack shouldn't only lie with end users.

"If the definition of technology is the application of scientific knowledge for practical purposes, especially in industry, why are we blaming the user for not knowing enough? Technology leaders need to stop blaming the user for inadequacies and 'needing training,'" said Blech in an e-mailed comment. "Our duty in the technology industry is to provide options for the user, based on innovation not blame.

Blech recommends that organizations increase their multi-factor authentication security with "... tokenized Identity using binary and biometrics resources which avoid outdated, easily hacked, and easily forgotten alphanumeric passwords of yesterday."

About the Author

Chris Paoli is the site producer for and


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.