What is Dridex malware?
What is Dridex malware?
Dridex is malicious software (malware) that targets banking and financial access by leveraging macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
Dridex operates by first arriving on a user’s computer as a malicious spam email with a Microsoft Word document attached to the message. If the user opens the document, a macro embedded in the document surreptitiously triggers a download of the Dridex banking malware, enabling it to first steal banking credentials and then attempt to generate fraudulent financial transactions.
Evolving from Cridex and ZeuS
Dridex is an evolution of the Cridex malware, which itself is based on the ZeuS Trojan Horse malware. The Dridex banking malware initially spread in late 2014 via a spam campaign that generated upwards of 15,000 emails each day. The attacks primarily focused on computer systems located in the United Kingdom.
The Cridex Trojan Horse spreads by copying itself to mapped and removable drives on infected computers. Cridex creates a backdoor entry point on infected systems, enabling the possibility for additional malware to be downloaded and run as well as conduct operations such as opening rogue websites.
This latter capability enables Cridex to capture the banking credentials of users on an infected system when the user attempts to visit and log into a financial web site. Cridex will surreptitiously redirect the user to a fraudulent version of the financial site and record the login credentials as they are entered.
Is Dridex detectable?
As has been the case with the Emotet malware, Dridex has also had many iterations. Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Like Emotet, each new version of Dridex traces a further step in the global arms race as the security community responds with new detection and mitigations,” researchers wrote.
It is believed that Dridex will continue to see more variations. “Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” the report said.
Light at the end of the tunnel?
On December 05th 2019 the FBI announced charges in malware conspiracy of two Russian nationals.
Along with several co-conspirators, Maksim V. Yakubets and Igor Turashev are charged with an effort that infected tens of thousands of computers with a malicious code called Bugat. Once installed, the computer code, also known as Dridex or Cridex, allowed the criminals to steal banking credentials and funnel money directly out of victims’ accounts. The long-running scheme involved a number of different code variants, and later version also installed ransomware on victim computers. The criminals then demanded payment in cryptocurrency for returning vital data or restoring access to critical systems.
Turashev and Yakubets were both indicted in the Western District of Pennsylvania on conspiracy to commit fraud, wire fraud, and bank fraud, among other charges. Yakubets was also tied to charges of conspiracy to commit bank fraud issued in the District of Nebraska after investigators were able to connect him to the indicted moniker “aqua” from that case, which involved another malware variant known as Zeus.
Read the full article here [external link]
How to prevent ransomware
There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:
- Patching – Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
- Application White listing – Don’t install software or give it administrative privileges unless you know exactly what it is and what it does. Makes sure you maintain an approved application list for the entire organization.
- Anti-virus/Malware Service, use a service which detects malicious programs like ransomware as they arrive. Some include whitelisting capabilities which prevent unauthorized applications from executing in the first place.
- Extend your Perimeter, use an email and social media filtering service preferably cloud based. This will detect malicious attachments, files and many ‘like Spambrella’ also scan URL’s for malicious actors.
- Adopt the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet