Banking Trojan Dyreza sends 30,000 malicious emails in one day, Bitdefender warns

A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender, the antivirus solutions provider. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia.

The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location.

"First seen in 2014, Dyre is very similar to the infamous Zeus. It installs itself on the user's computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service," states Catalin Cosoi, Chief Security Strategist at Bitdefender. "Through a man-in-the-browser attack, hackers inject malicious Javascript code, which allows them to steal credentials and further manipulate accounts – all in a completely covert way."

Catalin Cosoi continues: "Considering the malware's behaviour, it is worth pointing out that mitigating this vulnerability does not lie in the hands of the financial institutions targeted, but in the user's own actions. It's like using a public computer from an internet café to pay your bills - if you forget to log out from your account, anyone can access it and transfer money to their own pockets."

Interestingly, each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code redirects the user to the localised webpage of a fax service provider as soon as the archive is downloaded.

Bitdefender detects and blocks all elements of the threat: the .js file, the downloader and the executable. The Trojan is detected as Gen:Trojan.Heur.AuW@Izubv1ni. Bitdefender reminds users to avoid clicking links in e-mails from unknown e-mail addresses and, of course, keep their anti-malware solution up-to-date with the latest virus definitions.