Updated July 06, 2017 (originally published April 12, 2015) Updated July 06, 2017

Dyre In-Depth: Server-Side Webinjects, I2P Evasion, and Sophisticated Encryption

2 min. read


Dyre is one of the most sophisticated banking and commercial malware agents in the wild. This trojan uses fake login pages, server-side webinjects, and modular architecture to adapt to the victim. This in-depth report looks at the entire fraud flow and its capabilities.

Dyre is a relatively new banking Trojan, first seen in the beginning of 2014. It soon emerged as one of the most sophisticated banking and commercial malware in the wild. Although it mainly targets online banks, it steals other types of credentials as well. Dyre uses many new techniques such as completely fake login pages, server side web-injects, and modular architecture. The level of sophistication and the constant upgrading of its capabilities suggest that it is here to stay.

Many have written about this new threat. However, few have succeeded in covering the entire fraud flow and all of its capabilities.

Just like most other malware, Dyre spreads via phishing campaigns. The infection process has several stages. First, the victim receives an email, similar to the template above, containing an attachment. Once the victim opens the attachment, he or she unknowingly executes the "Upatre" malware downloader. It then downloads and infects the machine with the actual Dyre malware. In the last stage, the malware uses a spamming tool to send similar emails and continue spreading.

Attackers use several methods to evade security solutions and researchers. Dyre constantly changes its "packing"—a technique for changing the binary code without changing its functionality, so it won’t be detectable or readable.

To see the full version of this article, click "Download" below.


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.