The Dridex Trojan used to steal millions from UK banks is still dominant globally and continues to evolve, security researchers have warned.
In October 2015, the UK’s National Crime Agency set up a sinkhole for Dridex malware to stop infected computers – known as a botnets – from communicating with the cyber criminals controlling them, in conjunction with a US sinkhole operated by the FBI.
But just a month later Dridex was steadily regaining its footing, with campaigns being conducted mainly in the US, but also the UK, France and Australia, according to Ryan Flores, threat research manager at security firm Trend Micro. “Taking down servers is a significant step in crippling botnets, but unless all infrastructure is destroyed and all threat actors are caught, threats like Dridex are bound to resurface,” he wrote in a blog post.
Security researchers at IBM have confirmed this, detecting a new version of the malware on 6 January 2016 that has since been used to target mainly UK banks.
Research by IBM X-Force has revealed that despite attempts to shut Dridex down, it remains one of the world’s three most active banking Trojans.
The research also revealed that the cyber criminals behind Dridex have made a significant investment in the malware’s infrastructure, in addition to fixing bugs and retooling Dridex to be more like Dyre, with similar redirection attack schemes.
The Dridex gang, dubbed Evil Corp, has in recent weeks focused its efforts on a new campaign that uses the Andromeda botnet to deliver malware spam to intended victims in the UK.
Targets of the Dridex spam campaign receive a Microsoft Office file attachment purporting to be an invoice via email. The file contains poisoned macros that, once enabled, launch an exploitation and infection process.
Macro malware is a long-standing threat that has seen a revival in recent years to distribute threats like ransomware, and has been used to spread Dridex in the past.
Although the latest attack method represents an evolution of the Dridex malware, it is not entirely novel, according to Limor Kessem, cyber intelligence expert at IBM.
“It copies the concept of the Dyre Trojan’s redirection attack scheme. The difference between Dyre and Dridex is the way in which the redirection takes place. Dyre redirects via a local proxy, while Dridex redirects via local DNS cache poisoning,” she wrote in a blog post.
In DNS cache poisoning, an attacker inserts a fake address record for an internet domain into the endpoint’s cache DNS. As a result, the cache will use the fake address in subsequent browsing requests and route traffic to the address of the attacker’s server.
Redirection attacks work by sending the infected victim to an entirely new website when they try to point their browser to their online banking site.
By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.
To carry out redirection attacks, the cyber crime gang needs to invest heavily in creating website replicas of targeted banks.
Kessem noted that when Dyre started using this scheme, it was targeting more than a dozen banks. But this proved so resource-intensive that Dyre’s operators switched back to using web injections and page replacements.
Once the fake sites are in place, Dridex redirects victims’ http requests and sends them to the fake site without any visual clue or visible delay because the victim will still see the correct URL in the browser’s address bar.
The fake site then prompts the victims to provide two-factor authentication transaction codes such as second passwords or replies to secret questions.
Dridex harvests those details and send them to its command-and-control server to check them for validity on the bank’s genuine website in real time. If the login credentials are valid, the fraudsters can conduct a fraudulent transaction from their own endpoint via account takeover.
Because it is done in real time, if the cyber criminals lack any details or face additional challenges on the bank’s website, they can get the victim to help them. In cases of successful information harvesting, money is moved from the victim’s account to an account controlled by the cyber criminals.
According to IBM’s researchers, Dridex’s operators initially targeted two banks in the UK, but within a week had extended that to 13 banks, all based in the UK. The gang also appeared to be targeting mainly business and corporate accounts.
“By targeting the higher-value customers in each bank, Dridex’s operators are clearly planning to make large fraudulent transfers out of business accounts, and are less enticed by personal banking,” wrote Kessem.
The Dridex sample analysed by IBM’s X-Force is detected by only four antivirus suppliers out of 56, according to VirusTotal.
“To help stop threats such as Dridex, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in a region,” wrote Kessem.
On the banks’ side, she said that countering evolving threats such as Dridex’s redirection attacks is made easier with the right malware detection capabilities.
“With protection layers designed to address the ever changing threat landscape, financial organisations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities,” wrote Kessem.