Less than a month after being dismantled, the notorious Dridex malware, which has been responsible for $30 million in bank fraud losses in the United Kingdom and more than $10 million in losses in the U.S., re-emerged.
Accompanying its return is news of a new spam campaign targeting IKEA customers, according to the German security firm Heimdal Security.
In mid-October, the FBI and the U.K.'s National Crime Agency announced it took down Dridex's core command and control infrastructure last summer. This takedown, along with the arrests of key individuals, are presumed to have severely damaged the hackers' capability to run Dridex (also known as Bugat) campaigns.
“It is clear at this point that the Dridex botnet operators are not going to give up this lucrative botnet without a fight,” Ondrej Krehel, founder/CEO of the New York City-based cybersecurity intelligence firm LIFARS, said. “Even though the infections went down significantly, we are now witnessing a comeback and the number of infections is increasing,”
Earlier this week, the Fairfax, Va.-based cybersecurity firm Invincea released a research advisory detailing the resurgence of Dridex and its wider cyber crime campaign, which is designed to raid victims' bank accounts.
Once a targeted victim opens an embedded e-receipt attachment, it activates and executes the Dridex malware. The attackers then gather user credentials – mostly usernames, passwords and card details belonging to the victims. Dridex primarily targets financial institutions.
The malware can also pass through nearly every antivirus definition check that is available and currently in use by most end-users.
Dridex was first spotted in late 2014 as part of a spam operation that created as many as 15,000 phishing emails daily. The malware strain mainly targeted users in the U.K., then spread across Europe and even beyond the continent.
Despite the recent arrests and takedown announcements, Invincea observed a renewed Dridex cyber crime infrastructure that is attacking users, particularly in France, with weaponized Microsoft Word documents that mimic retail and hotel receipts.
Invincea said it is notifying businesses and individuals that a major international cyber crime operation is once again actively operating and targeting French users. The firm said it released the advisory because the French campaign may portend the resurgence of a broader campaign that will likely target users in the U.S. and other countries, as Dridex did in the past.
According to Invincea's research, the weaponized documents were the top threat facing enterprises during the last two months.
Since Oct. 22, Invincea has observed around 60 instances of cyber-thieves targeting French users with the Dridex banking Trojan, indicating that Dridex is still a threat and has at least retained some of its command and control infrastructure, the firm said.
The renewed Dridex campaign's weaponized Word documents incorporated “Just-in-Time” malware, which assembles itself once it bypasses computer security systems, building and loading the banking Trojan directly on victims' devices.
“Dridex is particularly pernicious because of its use of Microsoft Word macros and encryption techniques to thwart advanced static analysis technologies, in addition to the JIT malware assembly tactics to evade network defenses,” Invincea reported.
These combined methods that evade network and endpoint security solutions leads to particularly high infection rates: SecurityScorecard reports Dridex was the most prolific banking Trojan afflicting the corporate sector during the first six months of 2015.
“The malware continues to use executables digitally signed with legitimate certificates to avoid detection and poses major threats to financial institutions in the U.S.,” Krehel explained. “Taking into account its track record, its likely Dridex will cause some serious financial harm to its victims, yet again.”
Krehel recommended companies use solutions to detonate attachments or open them in an isolated environment to prevent falling victim to the malware.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
