Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Dyre Banking Trojan Uses Worm to Spread Via Microsoft Outlook

Researchers at Trend Micro have identified a new variant of the financial malware known as Dyre (Dyreza). The threat now targets a larger number of banks and uses some noteworthy propagation and evasion techniques.

Researchers at Trend Micro have identified a new variant of the financial malware known as Dyre (Dyreza). The threat now targets a larger number of banks and uses some noteworthy propagation and evasion techniques.

In the past months, cybercriminals used the Cutwail spambot to distribute Dyre. However, the new variant spotted by Trend Micro uses a more interesting propagation technique.

The attack starts with a spam email containing the Upatre downloader disguised as a fax or the details of a package delivery. Once executed, Upatre downloads the new Dyre variant, which in turn downloads a wom detected by Trend Micro as WORM_MAILSPAM.XDP.

The worm uses the Microsoft Outlook email client installed on compromised devices to send out spam emails with the Upatre downloader attached to them. The malware leverages Outlook’s msmapi32.dll library to complete the task.

“The attached UPATRE malware then downloads DYRE and the cycle repeats. This technique makes DYRE automatically generate spammed emails even faster with the help of its infected users,” Trend Micro Threat Response Engineer Michael Marcos explained in a blog post.

It’s worth noting that the worm doesn’t send spam emails to the victim’s contacts. Instead it uses email addresses obtained from a command and control (C&C) server. Once the emails are sent, the worm deletes itself, the security firm said.

Initially, Dyre was designed to steal information from a total of 206 websites, but this new version targets 355 sites. Most of the recently added websites belong to banks and Bitcoin wallets.

In January, 68% of the Dyre infections spotted by Trend Micro were in the United States, followed by Canada (10%) and Chile (4%).

Researchers also noticed some interesting new evasion techniques, such as the use of SSL to protect C&C communications.

Dyre is designed to connect to C&C servers whose address is hard-coded in the binary. If that fails, the threat attempts to connect to a URL provided by the malware’s domain generation algorithm (DGA). The DGA, which generates URLs on various top-level domains (cc, ws, to, in, hk, cn, tk, and so), is similar to the one of Downad/Conficker.

The malware can also connect to a hard-coded address on the Invisible Internet Project (I2P), an anonymity network used by the online drug marketplace Silk Road Reloaded and the CryptoWall 3.0 ransomware.

Last week, Symantec reported that cybercriminals had been using the Cutwail botnet for short-duration, high-volume spam runs. Each of the attacks lasted only a few minutes, but millions of spam emails had been sent out each time.

The emails contained links that pointed to a malicious website set up to serve a variant of Dyre. In some cases, victims were redirected to a phishing page instead of the malware-serving site.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.