Dyre Returns As Malicious Spam Targets UK Bank Customers

Banking customers in the UK are once again being targeted by cybercriminals, as a new threat dispatched 19,000 spam emails in just a three day period.

This is the warning from security experts Bitdefender, which said that the malicious emails invites users to download an archive containing a malicious .exe file.

Zeus Revenge

According to Bitdefender, the malicious .exe file apparently acts as a downloader that fetches and executes the infamous Dyreza banker Trojan, also known as Dyre.

Trend Micro warned last month that infections of the Dyre banking malware have risen sharply in the first quarter of 2015, with Europeans among the most targeted.

And now in the latest campaign, BitDefender said that 19,000 customers of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander have been targeted. In the US, clients of Bank of America, Citibank, Wells Fargo, JP Morgan Chase and PayPal may have been exposed to theft. Germany banking customers have also been targetted.

The way it works is that the banking customers gets an email that poses as a follow-up email from a tax consultant. The message asks the user to urgently download the attached archive and provide information to complete a financial transaction.

Another spam email pretends to attach financial documentation and asks the user to verify its authenticity. A third spam email warns the recipient of penalties imposed on his or her company, with an invitation to the business owner to see ‘the administrative determination.’

“First seen in 2014, Dyre is very similar to the infamous Zeus,” said Catalin Cosoi, Chief Security Strategist at Bitdefender. “It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers inject malicious Javascript code, allowing them to steal credentials and further manipulate accounts, all completely covertly.”

“If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page,” said Cosoi. “The server will then respond with the compressed version of the web page with malicious code added to it. This altered web page is then displayed on the victim’s web browser. Its appearance remains exactly the same, but the added code harvests the victim’s login credentials.”

Well Known

Dyre is a well known banking trojan. Its techniques for data theft include man-in-the-middle web browser attacks, taking browser screen-shots that are then sent back to the malware’s operators, and stealing security certificates and online banking credentials. Salesforce.com warned last year that the malware was targeting its customers.

The malware was found last summer to be targeting UK users.

In April, IBM reported that an experienced Eastern European criminal gang was using the malware along with sophisticated social engineering techniques, such as telephone lines with English-language operators, to target US organisations, with successful operations netting between $500,000 (£330,000) and $1.5 million per incident.

Are you a security pro? Try our quiz!