Dyreza banking trojan

The DYREZA banking trojan is being used in a campaign which has been initiated by cybercriminals.

The cybercriminals behind the DYREZA banking trojan are using crafted malicious ‘Flash Player Update’ schemes to install the DYREZA banking trojan on the devices of the following listed banks:

  • Bank of America
  • Natwest
  • Citibank
  • RBS
  • Ulsterbank

The CSIS team has researched the DYREZA banking trojan, and they explain that the code is designed to work just like the ZeuS banking trojan. DYREZA is able to perform ‘hooking’ on Internet Explorer, Google Chrome, and Firefox. They explain that the malware is able to harvest data at any selected and connected state.

The malware is being provided to the unaware users via the following known campaigns

  • Your FED TAX payment ID [random number]
  • RE: Invoice #[Random number]

The campaigns are using the following text to infect the unaware users:

Please review attached documents regarding your account

To view/download your documents please click here

Tel: 01322 247616
Fax: 01322 202705
email: [email protected]

This information is classified as Confidential unless otherwise stated.

The malware contains the following target information:

  1. cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
  2. businessaccess.citibank.citigroup.com/cbusol/signon.do
  3. www.bankline.natwest.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.natwest.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fnatwest%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.natwest.com%3A443%2Fbankline%2Fnatwest%2Fdefault.jsp
  4. www.bankline.rbs.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.rbs.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Frbs%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.rbs.com%3A443%2Fbankline%2Frbs%2Fdefault.jsp
  5. www.bankline.ulsterbank.ie/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.ulsterbank.ie&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fubr%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.ulsterbank.ie%3A443%2Fbankline%2Fubr%2Fdefault.jsp
  7. cashproonline.bankofamerica.com/materials
  8. businessaccess.citibank.citigroup.com/materials
  9. c1shproonline.bankofamerica.com
  10. cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/
  11. cashproonline.bankofamerica.com/assets/
  12. b1sinessaccess.citibank.citigroup.com
  13. businessaccess.citibank.citigroup.com/assets/
  14. businessaccess.citibank.citigroup.com/CitiBusinessOnlineFiles/
  15. www.b1nkline.natwest.com
  16. www.bankline.natwest.com/
  17. www.b1nkline.rbs.com
  18. www.bankline.rbs.com/
  19. www.b1nkline.ulsterbank.ie
  20. www.bankline.ulsterbank.ie/

Our friends at RedSocks provided information regarding the DYREZA banking trojan. The information which is provided, gives insight in the network events which are started by the DYREZA banking trojan.

DYREZA Network Events

  • DNS query: granatebit.com
  • DNS query: newsbrontima.com
  • DNS query: teromasla.com
  • DNS query: yaroshwelcome.com
  • Sends data to:
  • Sends data to:
  • Sends data to:

The malware samples have been uploaded to the malwr.com website, which provides insight in the various values of the DYREZA trojan.

DYREZA banking malware
DYREZA banking malware

Stay safe on the internet

Take a look at the security tips which will help you to stay safe. The following collection of security questions can be used to discuss the security status of your company. Be aware of the various schemes which are luring unaware social media users. Use this checklist to control the security status of your social media account.

Share this information