Huge spam campaign drops Trojan on UK bank customers

News by Doug Drinkwater

A huge spam campaign has been installing the Dyreza banking Trojan on tens of thousands of UK computers, specifically targeting those with accounts at major banks.

According to Bitdefender, the campaign has seen up to 30,000 malicious emails being sent in a single day and to customers of NatWest, Barclays, RBS, HSBC, Lloyd's Bank and Santander. These malicious emails carry links to HTML files, which in turn direct users to URLs pointing to highly-obfuscated JavaScript code, which downloads the Trojan. 

The target is then directed to the webpage of a fax service provider as soon as the download is complete.

This is part of a widespread campaign which has also affected major international banks such as the Bank of America, Wells Fargo, JP Morgan Chase in the US and Deutsche Bank and Axa Bank Europe in Germany. Banks in Romania and Australia have also been targeted.

Bitdefender's chief security strategist, Catalin Cosoi, said that the malware - which is also called 'Dyre' - is similar to the infamous Zeus Trojan.

“It installs itself on the user's computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service.”

“Through a man-in-the-browser attack, hackers inject malicious JavaScript code, which allows them to steal credentials and further manipulate accounts – all in a completely covert way.”

Cosoi continued: “Considering the malware's behaviour, it is worth pointing out that mitigating this vulnerability does not lie in the hands of the financial institutions targeted, but in the user's own actions. It's like using a public computer from an internet café to pay your bills - if you forget to log out from your account, anyone can access it and transfer money to their own pockets.”

One of the most interesting things about the Trojan is the way it evades detection from traditional anti-virus (AV) software; each downloaded archive is named differently thereby bypassing AV, a technique known as server-side polymorphism.

The Trojan is detected as Gen:Trojan.Heur.AuW@Izubv1ni. Bitdefender advises users to avoid clicking links in emails from unknown email addresses and keep their anti-malware solution up-to-date with the latest virus definitions.

Andrew Conway, research analyst at Cloudmark, said that Dyreza is one of many Trojans being used against banks worldwide, and added that the 30,000 email figure isn't even that high. 

“Dyreza was first reported last year in June and whilst we have seen the targeted banks change from time to time, we continue to see activity from this threat,” he told “It is just one of the several banking Trojans that we see around the world - for example we see a lot of spam email targeting the Brazilian Boleto Bancario payments system. 

“Whilst the number of emails being sent in a day seems shocking, unfortunately it's not considered a high volume spam attack - a clear indicator that there are more threatening spam attacks taking place that also need to be prevented.”

Conway added that banking Trojans and ransomware continue to be major threats worldwide, even if they are often blocked or placed in a spam folder or detected by AV. However, he noted how scammers will also look for ways of disguising executable files.

“Spammers also have a way of often disguising malicious executable files with unusual file extensions such as .cpl (Windows Control Panel) or .scr (Windows Screen Saver) and so people must remain aware and vigilant to the different ways in which spammers could dupe them. The first step to tackle this issue is not opening any unusual email or files that they have not requested.”

Giorgio Fedon, technical director of Minded Security, added that this simplistic attack is increasingly common in attacks against financial services.

"What is really alarming is not the technique itself, but the popularity that this kind of attack is gaining with fraudsters. It simply works. Sending malware via an attachment is something that has been happening since the Melissa worm almost 15 years ago,” he said in an email to SC.

“However, in the past an infection was minimal, now when you open an allegedly legitimate attachment, you are potentially at risk of becoming a part of a criminal activity without even knowing it, co-responsible for financial fraud, and with a much smaller bank balance at the end of the day.

“Dyre Malware relies on the man-in-the-browser technique by hooking into the web browser. It intercepts traffic between the compromised system and the targeted banks and it can manipulate the content of the website through real-time web injection. Anti-malware technology effective at detecting and identifying risks such as man-in-the-browser web injects could halt this kind of malicious activity".

Marco Morana, director of Minded Security, added: "Banking malware today does not just target commercial bank users, but business bank customers. For example, banking malware can spread through specialised droppers such as Dyreza, specifically targeting bank business customers and computers with email spam campaigns originating from e-fax."

In related news, Trend Micro says that the banking malware Vawtrak has ‘gone through some notable improvement' since it was first spotted 18 months ago as an attachment to fake shipping notification emails. Now, the malware is using malicious macros and Windows PowerShell to steal data.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews