Dridex Trojan Evolves To Continue Banking System Spree

Dridex has been been redeveloped by Evil Corp, the cybercrime group that owns and operates the banking trojan.

IBM X-Force researchers said that the redevelopment of the malware has removed a number of bugs, and given it a new attack methodology.

Dridex Trojan

According to Limor Kessem, a cybersecurity evangelist at IBM X-Force, the new attack campaign was first detected in early January after the release of a new build for the Dridex malware.

“The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims,” blogged Kessem. “Campaigns are mainly focused on users in the UK.”

Dridex is also known as Bugat and Cridex. It originates in Eastern Europe (namely Moldova) and in October the National Crime Agency warned that it was responsible for losses of £20 million in the UK alone.

It works by infecting Windows PCs when users receive and open Office documents in seemingly legitimate emails. The trojan reportedly records login and password details used to access online banking services and sends the information to the attackers who then use the information to steal from bank accounts.

And Kessem warned that it has evolved and adopted a new attack methodology.

“The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme,” Kessem wrote. “The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.”

She noted that the overall idea behind redirection attacks is to send the infected victim to an entirely new website when they try to browse to their online banking site, never allowing them to reach the bank’s real site. By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.

Evil Corp has apparently been investing heavily in creating website replicas of targeted banks.

“Once the site replicas are ready, the Trojan causes an immediate redirection of victims’ HTTP requests and sends them to a new, impostor URL without any visual clue or visible delay,” warned Kessem. “Dridex now uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.”

This means that when the victim sees the site replica, the URL in the browser’s address bar looks correct, and the user “won’t typically suspect that anything happened and will proceed to log in as usual.”

She said that Dridex’s operators had initially only targeted two banks in the UK, but it is now hitting 13 banks, all of which are based in the UK.

Expert Advice

IBM advises that banks and service providers use adaptive solutions to detect infections and protect customer endpoints. The right malware detection solutions are also vital in helping to detect Dridex’s redirection attacks.

Dridex is one of the top three most active banking Trojans in the world, and its redevelopment shows that it largely survived the takedown attempt by law enforcement last October.

Dyre is still the number one cybercrime malware, followed by Neverquest. But Dridex is in third spot now.

Last year, new statistics revealed that cybercrime is now Britain’s most common criminal offence.

How much do you know about famous hackers? Try our quiz!