Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Dyre Banking Trojan Now Targets Windows 10, Microsoft Edge

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

The developers of the notorious Dyre (Dyreza) banking Trojan have released a new version of the threat that includes support for Windows 10 and Microsoft Edge.

According to researchers, Dyre now also targets Windows 10 users, and in addition to Chrome, Firefox and Internet Explorer, the malware can also hook its malicious code into the process of Microsoft’s latest web browser, Edge.

The changes in the latest version of Dyre were documented by both Heimdal Security and F5 Networks.

F5 reported that the authors of Dyre have renamed some of the existing commands and added new ones for novel functionality. The new commands are used to get the IP of the command and control (C&C) server, the botnet name, configuration for fake pages, configuration for server-side webinjects, account information stolen by the Pony module, and an anti-antivirus module.

This anti-antivirus module, named “aa32” or “aa64” in the case of 64-bit versions of Windows, is injected into the “spoolsv.exe” process, which is normally used for fax and print jobs. The module is designed to locate security products installed on the infected machine and disable them by deleting their files or by changing their configuration.

The list of targeted antiviruses, detected by Dyre based on registry entries, includes products from Avira, AVG, Malwarebytes, Fortinet and Trend Micro. The malware also attempts to disable the Windows Defender service.

In order to make the malware more difficult to analyze, the developers have encrypted hardcoded debug strings and only decrypt them during runtime. As a result of this change, static analysis provides a lot less information about the Trojan’s behavior than before.

As for persistence after a reboot, previous versions of Dyre used a Run key in the registry, but the latest variant relies on a scheduled task that is run every minute.

Dyre developers also attempted to make the malware more difficult to detect by generating a pipe name based on a hash of the computer’s name and version of the operating system — initially the name of the pipe was hardcoded. However, experts say this doesn’t really help as the name can now be predicted for each infected device.

“We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous,” F5 said in a blog post. “They also wish to keep the malware up-to-date with current OS releases in order to be ‘compatible’ with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest.”

According to Heimdal Security, Dyre has already infected roughly 80,000 machines and the company believes the number will increase.

“The timing of this new strain is just right: the season for Thanksgiving, Black Friday and Christmas shopping is ready to start, so financial malware will be set to collect a huge amount of financial data. Users will be busy, prone to multitasking and likely to choose convenience over safety online,” Heimdal Security noted.

Related Reading: Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes

Related Reading: Dyre Malware Gang Targets Spanish Banks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.