Banking Trojan Lurking Inside Innocent Fax Messages, Bitdefender Warns

A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, Bitdefender malware analysts warn.

The malicious spam messages carry links to HTML files. The files link to URLs directing to highly obfuscated Javascript code that automatically downloads a zip archive from a remote location.

Interestingly enough, each downloaded archive is named differently to bypass the antivirus. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new.

To take the con one step further, the same Javascript code redirects the user to the localized webpage of a fax service provider as soon as the archive is downloaded.


The archive contents look like regular pdf files. They are in fact executable files with a PDF icon. They act as downloaders that fetch and execute the Dyreza banker Trojan, also known as Dyre.

Dyre Malware Analysis

First seen in 2014, Dyre is very similar to the infamous Zeus. It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers inject malicious Javascript code, which allows them to steal credentials and further manipulate accounts– all in a completely covert way.

Despite facing a threat known to resist reverse engineering techniques, Bitdefender malware researchers have managed to analyze it and uncover the list of targeted websites. Customers of reputable financial and banking institutions from the US, UK, Ireland, Germany, Australia, Romania and Italy have been targeted.

  • [US] Clients of Bank of America, Citibank, Wells Fargo, JP Morgan Chase and RBC Royal Bank (Canada) may have been exposed to theft.
  • [UK] Customers of NatWest, Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank, Santander, Turkish Bank and Bank Leumi UK have been targeted by hackers.
  • [Germany] Customers of Deutsche Bank, Axa Bank Europe, Bankhaus August Lenz, Dab Bank, Degussa Bank, Valovis Bank and HypoVereinsbank may have had credentials and money stolen from their accounts.
  • [Australia] Hackers went after clients of Australian investment funds North Online and SuperIQ, Bendingo Bank and HSBC.
  • [Romania] Clients of Alpha Bank, Bancpost, BRD, CEC Bank, UniCredit, CreditEurope, Raiffeisen and BCR are among the potential victims of the credential-stealing Trojan.

However, despite the relative sophistication of the attack, it still relies on the user’s curiosity to look into the archive and manually run its contents. A bit of caution can reduce the chances of infection. Here’s what several malicious links look like:

fax 3

According to Bitdefender Labs, 30,000 malicious emails were sent in one day from spam servers in the US, Russia, Turkey, France, Canada and the UK. Curiously, the campaign’s name – 2201us- seems to indicate the attack date (22nd January) and the targeted country (US), Bitdefender malware researchers found.

Bitdefender detects and blocks all elements of the threat: the .js file, the downloader and the executable. The Trojan is detected as Gen:Trojan.Heur.AuW@Izubv1ni. Bitdefender reminds users to avoid clicking links in e-mails from unknown e-mail addresses and, of course, keep their anti-malware solution up-to-date with the latest virus definitons.

This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian MIRON and the technical information provided by Bitdefender Virus Analysts Doina COSOVAN, Octavian MINEA, and Alexandru MAXIMCIUC.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.