Researchers from IBM Security have revealed that a new variant of the Dridex malware has taken inspiration from the Dyre banking Trojan and is launching attacks on UK bank accounts.
The IBM X-Force team explained that Evil Corp, the group suspected to be responsible for Dridex, has upgraded the malware to use “redirection” techniques that leave people helpless to fend off credential theft.
Dridex typically spreads via bulk email phishing and allows an attacker to spy on a victim’s computer and steal sensitive credentials. It has been estimated that the malware is responsible for the theft of up to £20m from UK bank accounts over the past few years.
The latest version of Dridex, v.3.161, was detected on 6 January and revealed a number of “internal bug fixes”. IBM analysis showed that it quickly targeted UK internet users with the help of the Andromeda botnet.
The latest evolution of Dridex involves so-called “redirection” attacks that can send an infected computer to a fake banking website set up to appear legitimate and persuade the victim to enter sensitive details.
Limor Kessem, senior cyber security expert at IBM Security, told V3 that redirection attacks were “one of the biggest causes for concern” uncovered during the investigation.
“With this capability, the criminal can hijack the victim trying to access their bank website and redirect them to a malicious website where they cannot be protected by the security on the genuine online banking portal,” she said.
“These attacks require ample investment to create the forged sites, but when trojans like Dridex focus on business and corporate accounts they are more likely to make it worth their while.”
The latest Dridex campaign is currently targeting 13 banks in the UK using this technique, according to Kessem. “We anticipate Dridex to continue relying on the redirection scheme for as long as it can afford to,” she said.
“We have already seen the Dyre trojan move away from this type of attack, likely due to the resources required to maintain it and to target new brands.”
Dridex has targeted the bank accounts of UK citizens for several years, and remains one of the dominant cyber threats alongside Dyre, Neverquest and Zeus v2. IBM Security said that the malware is one of the top three most active banking trojans in existence.