Dridex Trojan Evolves To Continue Banking System Spree

Dridex has been been redeveloped by Evil Corp, the cybercrime group that owns and operates the banking trojan.

IBM X-Force researchers said that the redevelopment of the malware has removed a number of bugs, and given it a new attack methodology.

Dridex Trojan

According to Limor Kessem, a cybersecurity evangelist at IBM X-Force, the new attack campaign was first detected in early January after the release of a new build for the Dridex malware.

“The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims,” blogged Kessem. “Campaigns are mainly focused on users in the UK.”

Dridex is also known as Bugat and Cridex. It originates in Eastern Europe (namely Moldova) and in October the National Crime Agency warned that it was responsible for losses of £20 million in the UK alone.

It works by infecting Windows PCs when users receive and open Office documents in seemingly legitimate emails. The trojan reportedly records login and password details used to access online banking services and sends the information to the attackers who then use the information to steal from bank accounts.

And Kessem warned that it has evolved and adopted a new attack methodology.

“The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme,” Kessem wrote. “The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.”

She noted that the overall idea behind redirection attacks is to send the infected victim to an entirely new website when they try to browse to their online banking site, never allowing them to reach the bank’s real site. By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.

Evil Corp has apparently been investing heavily in creating website replicas of targeted banks.

“Once the site replicas are ready, the Trojan causes an immediate redirection of victims’ HTTP requests and sends them to a new, impostor URL without any visual clue or visible delay,” warned Kessem. “Dridex now uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.”

This means that when the victim sees the site replica, the URL in the browser’s address bar looks correct, and the user “won’t typically suspect that anything happened and will proceed to log in as usual.”

She said that Dridex’s operators had initially only targeted two banks in the UK, but it is now hitting 13 banks, all of which are based in the UK.

Expert Advice

IBM advises that banks and service providers use adaptive solutions to detect infections and protect customer endpoints. The right malware detection solutions are also vital in helping to detect Dridex’s redirection attacks.

Dridex is one of the top three most active banking Trojans in the world, and its redevelopment shows that it largely survived the takedown attempt by law enforcement last October.

Dyre is still the number one cybercrime malware, followed by Neverquest. But Dridex is in third spot now.

Last year, new statistics revealed that cybercrime is now Britain’s most common criminal offence.

How much do you know about famous hackers? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago