Dridex Returns to Taunt Financial Institutions and Businesses

By November 19, 2015CCG Catalyst, CCG Insights

SecurityThe FBI and the UK National Crime Agency announced in October the summer take down of Dridex’s core command and control infrastructure. This so-called breakup of the malware, along with the arrests of key individuals, presumably severely damaged the hackers’ capability to run Dridex (aka Bugat) campaigns.

However, less than a month after its announced dismantling, the infamous malware, responsible for $30 million in bank fraud losses in the UK and more than $10 million in the U.S., re-emerged.

Dridex, first seen in late 2014 in a spam ploy that created as many as 15,000 phishing emails each day, primarily targeted UK users although the malware strain stretched across Europe and beyond the continent.

It mainly targets financial institutions but confirmation of its return comes with the news of a fresh spam campaign against IKEA customers.

Despite the recent FBI and other Dridex arrest and take-down announcements Fairfax, Va.-based cybersecurity firm Invincea observed a renewed Dridex cyber-crime infrastructure attacking users, particularly in France, with weaponized Microsoft Word documents appearing in retail and hotel receipts.

In November, Invincea released a research advisory detailing the resurrection of Dridex and its wider cybercrime campaign designed to raid victims’ bank accounts. The malware passes through nearly every antivirus definition check available and in use by most end-users.

Once a targeted victim opens an embedded e-receipt attachment it activates the Dridex malware and executes it. The attackers then gather user credentials, mostly usernames, passwords and card details of the victims.

The weaponized documents have overwhelmingly been the top threat facing enterprises during the last two months. Businesses and individuals should take notice that this major international cyber-crime operation is once again actively operating and targeting French users. Invincea released the advisory because the French campaign may portend the resurgence of a broader campaign that will likely target users in the U.S. and other countries, as Dridex has done previously.

Since October 22, Invincea observed some 60 instances of cyber-thieves targeting French users with the Dridex banking Trojan. This indicated Dridex continues as a threat, and at least retained some of its command and control infrastructure.

This renewed Dridex campaign targets users with weaponized Microsoft Office documents posing as receipts from popular retail stores and hotels. In these latest attacks, a weaponized Word .docs used “Just-In-Time” malware assembly, which assembles itself once it bypasses computer security systems, to build and load the banking Trojan directly on victims’ devices.

Dridex is particularly destructive because of its use of Microsoft Word macros and encryption techniques to frustrate advanced static analysis technologies, in addition to the JIT malware assembly tactics to evade network defenses.

The combination of these methods that evade network and endpoint security solutions gives it particularly high infection rates: SecurityScorecard reports it was the most prolific banking Trojan afflicting the corporate sector during the first six months of 2015.

The malware continues to use executables digitally signed with legitimate certificates to avoid detection and poses major threat to financial institutions in the US. Experts recommend that companies use solutions to detonate attachments or open them in an isolated environment to prevent falling victims to this malware.