HackDig : Dig high-quality web security articles for hacker

Dyre Spambots Use JJencode to Broaden Distribution

2015-02-10 01:45

January was a busy month for the developers of Dyre/Dyreza. The group reintroduced their Upatre link spam with some additional subterfuge.

This article will explore two types of spambots that Dyre utilizes;  the following diagram presents a simplified visual on how each type executes.

Differences between two current Dyre spambots.

Differences between two current Dyre spambots.

Dyre bot operators have started to JJencode their HTML to obscure detection and have rigged the code to frequently generate a unique file—which hinders hash recognition of their work.

Example spam email with Dyre link

Example spam HTML email with Dyre link

Spam emails containing links to these JJencoded pages are sent by spambots, which the Dyre botnet drops on victim’s computers.

Spambot Type 1

In a recent distribution, ThreatTrack Labs researchers noted that these spambots were using an address of //5.104.109[.]197:13010/action.php?action=get_red to populate the URL in their templates, also grabbing a list of email targets from the same PHP script.

We’ve also seen this type of spambot using email attachments. Here are some examples of templates we encountered in January:


Subject: Barclays – Important Update, read carefully!

Dear Customer,

Protecting the privacy of your online banking access and personal information are our primary concern.

During the last complains because of online fraud we were forced to upgrade our security measures.

We believe that Invention of security measures is the best way to beat online fraud.

Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.

For security reasons we downloaded the Update Form to security Barclays webserver.

You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.

- Please download and complete the form with the requested details: $url$

- Fill in all required fields with your accurately details (otherwise will lead to service suspension)

Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.

Thank you for your patience as we work together to protect your account.

Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.


Barclays Online Bank Customer Service

We apologize for any inconvenience this may have caused.

(c) Copyright 2015 Barclays Bank Plc. All rights reserved.


Subject: Fax #$number6$

Fax message

Sent date: $date$


Subject: Payment Advice – Advice Ref:[GB$number5$] / CHAPS credits


Please download document from dropbox, payment advice is issued at the
request of our customer. The advice is for your reference only.

Download link:


Yours faithfully,
Global Payments and Cash Management


This is an auto-generated email, please DO NOT REPLY. Any replies to
this email will be disregarded.

Security tips

1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure you have
the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of
this payment as soon as possible.

This e-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability
for any errors or omissions.


Subject: Employee Documents – Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents


Documents are encrypted in transit and store in a secure repository

This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply
email and delete the message and any attachments.


Subject: Important information about your account

We want you to recognise a fraudulent email if you receive one. The last
four digits of your account number: XXXX$number3$.

Dear Lloyds Link Customer,

You have a new message

There’s a new message in your Internet Banking Inbox. Messages contain
information about your account, so it’s important to view them.

If you’ve chosen to use a shared email address, please note that anyone
who has access to your online bank account or email account will be able
to view your messages.

Your inbox correspondence will never be deleted.





Important information about your account

16 January 2015

Lloyds Commercial


PLEASE NOTE: this message is important and needs your immediate

Please click [1] here to log into Internet Banking straightaway to view

Yours sincerely

Nicholas Williams,
Consumer Digital Director

Please do not reply to this email as this address is not manned and
cannot receive any replies.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN.
Registered in England and Wales, number 2065. Telephone: 020 7626 1500.

Lloyds Bank plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential
Regulation Authority under registration number 119278.*

[1] http://mail.itpix.org/$url$


Subject: Important – Please complete attached form

This message has been scanned by the Bankline CSC SSM AV and found to be free
of known security risks.

Dear Customer

Please find below your Banking Form for Bankline.


Please complete Bankline Banking Form :

- Your Customer Id and User Id – which are available from your administrator if you have not already received them

Additionally, if you wish to access Bankline training, simply follow the link below


If you have any queries or concerns, please telephone your Electronic Banking Help Desk.

National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your

Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.


Subject: Employee Documents – Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents


Documents are encrypted in transit and store in a secure repository


Subject: Fax

Fax message

Sent date: $date$


Subject: eFax $number7$

You have received a $number2$ page fax at $date$.

* The reference number for this fax is

Thank you for using the eFax Corporate service!

2014 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Corporate
Customer Agreement [1].

[1] http://home.efax.com/customerAgreements/corp/customerAgreement.html 

This is just one type of spambot that Dyre delivers.

Spambot Type 2

The second spambot type that Dyre distributes utilizes Outlook components, sending out spam with attachments of Upatre. This spambot connects to a Dyre command and control server on port 1025 to retrieve instructions.

The spam this second bot sends out is often quite concise, asking the reader to open a PDF.

For example:


Subject: unpaid invoice

Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any

Thank you.

Defend Yourself Against Dyre

Ensure your antivirus is up-to-date to protect yourself from malicious threats. VIPRE detects spambot type 1 as Spammer.Win32.Hedsen.nfua (v), and spambot type 2 as Win32.Malware!Drop and Trojan.Win32.Spammer (fs).

The spambot MD5 hashes we used for this analysis are:

Spambot 1:


Spambot 2:


Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Photo Credit: Ben Goddard, Technical Writer, ThreatTrack Security

Portions of the Dyre Spambot diagram contain icons made by Freepik from www.flaticon.com, licensed under Creative Commons BY 3.0.

The post Dyre Spambots Use JJencode to Broaden Distribution appeared first on ThreatTrack Security Labs Blog.

Source: /8ATCWA4MzRw/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

Read:3974 | Comments:0 | Tags:Featured ThreatTrack Security Labs Dyre Dyreza jjencoded spa

“Dyre Spambots Use JJencode to Broaden Distribution”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud