We've been tracking the release of new features in the Dyre password-stealing Trojan, and noticed a new behavior starting last month: The malware seems to be trying to connect to the anonymizing network known as i2p during the course of a typical infection.
We started to notice this behavior in early February, and it was easy to call it a fluke then because the behavior was rudimentary and buggy. But that's no longer the case. SSL traffic generated by the Trojan, decrypted by the SSL Visibility Appliance and revealed by Security Analytics, reveals that the malware is actively setting up and connecting to i2p.
By default, i2p configures itself to use a single UDP port on the host machine to receive inbound communications and to proxy outbound requests to connect to various "dark" services hosted within the service. Security Analytics reveals this traffic as a large volume of UDP packets, from a variety of i2p "peer" machines, destined to a single UDP port on the machine connected to i2p.