Widespread Spam Campaigns Linked with Dyre/Dyreza Banking Malware

Number: AL14-038
Date: 24 October 2014


The purpose of this Alert is to bring attention to widespread spam campaigns that have been linked to the Dyre/Dyreza banking malware.


CCIRC is aware of a spam campaign that has affected a wide variety of recipients on an international scale including organizations within Canada. This spam campaign is being circulated with the subject line “Unpaid invoic” and contains a malicious .PDF attachment. When the attachment is opened, it attempts to exploit vulnerabilities CVE-2013-2729 or CVE-2010-0188 to drop the Dyre/Dyreza malware. Dyre/Dyreza is similar to other types of banking malware in that it exploits vulnerabilities within the infected machine's system, gives malicious actors remote access into the infected machine, and intercepts sensitive login information (e.g. usernames and passwords).

This spam campaign has a high click rate because it appears that the malware is able to use the infected users email contacts to replicate the emails and malware, so that it appears to have come from a trusted user.

A second spam campaign has been observed using .ZIP files as attachments in the emails. This campaign doesn't appear to be exploiting a vulnerability, but instead contains an executable that will eventually lead to Dyre/Dyreza malware. Please note that aspects of both campaigns have varied from case to case including subject lines and senders.

Subject Lines observed:
Unpaid invoic
FW: Daily report

Attachment Names obeserved:
Invoice<random numbers>
F44<random numbers>

Suggested Action

CCIRC recommends that organizations review this information and consider their implementation in the context of their network environment.


Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: