Cridex Malware Authors Warn Lloyds users of Dyre

PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today.

Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud.

Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft Word document to infect victims by pretending to be a Failed Fax Transmission.  On November 17, 2014, we received approximately 1,000 copies of this spam message before noon. The sending domain in the ‘From’ field was “” in all of those samples.

Here’s the thing we’ve never seen before – A warning about Dyre malware FROM THE AUTHORS OF THE CRIDEX MALWARE!  If – and only if – you are infected with this version of Cridex malware, and you visit a website at, you will receive the following pop-up message when you visit LloydsLink.  PhishMe analysts spoke with Lloyds and learned that the message being propagated by Cridex malware was previously used on the Lloyds website in a now discontinued security advisory, but confirmed that if someone is seeing that message now it is a sign of a Cridex malware infection.

The security warning displayed to users that have been infected with Cridex malware is as follows:

21 October
Lloyds Banking Group is aware that the Dyre malware (also known as Dyreza) is currently actively targeting financial institutions across the UK including customers of LloydsLink online.

This is not a vulnerability within LloydsLink online but malware that resides on infected computer systems designed to steal user log-in credentials.

We recommend you:

1. Work with your IT security providers to confirm that your anti-malware solution is capable of detecting and removing the very latest variants of Dyre.
2. Carry out comprehensive scans of any systems used to access LloydsLink, as well as any other financial service institution or financial orientated software that you use and transact on.
3. Change Passwords and memorable information, following the comprehensive scans of your systems.

Please remember it is important to check all beneficiary details, especially bank sort codes and account numbers, before creating and approving all payments.
For more information on protecting your payments please visit our Security Centre.


Protect against viruses
Use anti-virus software and ensure that it is kept up to date – this should protect your computer against the latest viruses
Use up-to-date anti-spyware software to protect against programs that fraudsters can use to collect information about your Internet usage

Keep your software up-to-date

Occasionally publishers discover vulnerabilities in their products and issue \’patches\’ to protect against any security threats. It is important that you regularly visit the website of the company which produces your operating system (e.g. Windows XP) and browser (e.g. Internet Explorer) to check for any patches or updates they may have issued.

While it would appear that the content above is being provided by Lloyds, that is not the case. The content is being pushed into your browser by the Cridex malware in what is known as a “web inject”. The web inject occurs if the malware senses that a user is visiting Lloyds commercial banking services.

Astute network monitoring professionals will want to watch for network traffic to the IP addresses and Both addresses are hosted on OVH France, a network that has great loyalty from the criminals behind this malware.

While nearly 300 other banks are also specifically targeted by this version of Cridex, the only other one with a special “web inject” pop-up message from the criminals are customers of Barclays Bank. They receive this special message:

Your security obligations
Due to our recent security changes you should keep your smart card inserted in your card reader.
This security message will appear periodically.
Please tick the box to acknowledge these security obligations.

In addition to many UK-based banks, banks in Austria, Belgium, Bulgaria, Germany, Hungary, Ireland, Indonesia, Israel, Italy,  India, Malaysia, Netherlands, Norway, Qatar, Romania, Singapore, Switzerland, United Arab Emirates, United States of America, and Vietnam have also been targeted.

Several companies offering services to small and regional banks and credit unions are also being targeted, including CardinalCommerce,,, and

PhishMe Intelligence subscribers can review further details of this attack online under Threat ID 2361.

WordPress Phishing: Target of Cybercriminals Worldwide
Three Ways Reporter Can Enhance Your Incident Response Process

Leave a Reply