Pierluigi Paganini
January 21, 2016
Security experts at IBM X-Force team discovered a new wave of attacks based on the Dridex malware targeting British businesses. The malware has targeted rich UK bank accounts in a new campaign that is operated by threat actors well-resourced, a criminal organization dubbed Evil Corp.
Evil Corp has released a new improved variant of the Dridex banking trojan that was spread through the Andromeda botnet.
“Dridex recently released a new malware build with some internal bug fixes. The new version, v196769, which is v.3.161, was first detected on Jan. 6, 2016. The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K.” states Limor Kessem, Cybersecurity Evangelist at IBM.
The Dridex banking trojan is considered one of the most serious threats to banks, in October 2015, security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign targeting victims mainly in the UK.
Also in this new campaign, victims received spam email including a Microsoft Office file attachment purporting to be an invoice. The file contained a malicious macro that, once enabled, start the infection process dropping Dridex on the target that redirects visitors from legitimate bank sites to malicious versions.
A detailed analysis of the redirection mechanism allowed X-Force researchers to link the new Dridex infection to the Dyre Trojan’s redirection attack scheme, the unique difference in redirection mechanism is that while Dyre redirects via a local proxy, the Dridex redirects via local DNS poisoning.
“X-Force researchers studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme. The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.” states the post.
By implementing this attack scheme, the attackers aim to deceive victims into divulging authentication codes,
“When Dyre started using this scheme, it was targeting over a dozen banks; a rather resource-intensive operation that eventually drove Dyre’s operators to switch back to using web injections and page replacements.”
According to the experts, Dridex operators are scaling up on quantity and quality, the number of banks targeted by the cyber criminals behind this threat is increasing and the code is even more sophisticated and continuously updated.
“Dridex also continues to scale up in victim quality. The bank URLs on the target list are, for the most part, the dedicated subdomains for business and corporate account access. By targeting the higher-value customers in each bank, Dridex’s operators are clearly planning to make large fraudulent transfers out of business accounts and are less enticed by personal banking.”
(Security Affairs – Dridex Trojan, cybercrime)
