Widespread Spam Campaigns Linked with Dyre/Dyreza Banking Malware
Date: 24 October 2014
The purpose of this Alert is to bring attention to widespread spam campaigns that have been linked to the Dyre/Dyreza banking malware.
CCIRC is aware of a spam campaign that has affected a wide variety of recipients on an international scale including organizations within Canada. This spam campaign is being circulated with the subject line “Unpaid invoic” and contains a malicious .PDF attachment. When the attachment is opened, it attempts to exploit vulnerabilities CVE-2013-2729 or CVE-2010-0188 to drop the Dyre/Dyreza malware. Dyre/Dyreza is similar to other types of banking malware in that it exploits vulnerabilities within the infected machine's system, gives malicious actors remote access into the infected machine, and intercepts sensitive login information (e.g. usernames and passwords).
This spam campaign has a high click rate because it appears that the malware is able to use the infected users email contacts to replicate the emails and malware, so that it appears to have come from a trusted user.
A second spam campaign has been observed using .ZIP files as attachments in the emails. This campaign doesn't appear to be exploiting a vulnerability, but instead contains an executable that will eventually lead to Dyre/Dyreza malware. Please note that aspects of both campaigns have varied from case to case including subject lines and senders.
Subject Lines observed:
FW: Daily report
Attachment Names obeserved:
CCIRC recommends that organizations review this information and consider their implementation in the context of their network environment.
- Most often, attacks of this type are detected by diligent and well-informed users. CCIRC recommends that organizations ensure users receive situational awareness training, including instructions on how to report unusual or suspicious e-mails to their IT security branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this risk.
- As a precaution, user(s) of a compromised host(s) should be informed that login credentials for any accounts or services accessed through the compromised system should be changed immediately using an appropriate strong password policy.
- Don’t open links or attachments in emails from untrusted or unknown sources.
- Maintain up-to-date software.
- Maintain up-to-date antivirus and other security software.
- Particular attention should be placed on software updates for CVE-2013-2729 or CVE-2010-0188.
- Malicious Phishing Campaign using .PDFs
- New powerful banking malware called Dyreza emerges
- Old Adobe Vulnerability Used in Dyreza Attack, Targets Bitcoin Sites
- CCIRC Advisory AV13-021 Adobe Security Bulletin Summary for May 2013
- CCIRC Advisory AV14-007 Multiple Vulnerabilities in Adobe Reader, Acrobat, Flash Player and Air http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2010/av10-007-eng.aspx
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: