Vulnerabilities / Threats

07:00 PM
Connect Directly

Dridex Malware Now Used For Stealing Payment Card Data

An analysis of Dridex infrastructure shows dangerous changes, potentially new operators.

New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns -- and likely by a different set of threat actors than before.

Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used.

The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.

In addition to stealing banking credentials, the malware increasingly is also being used to steal credit card information via an Automatic Transfer System mechanism, says Ferrezuelo.

“Also, we found that victims are being targeted from companies all around the world, including [Latin America] and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK and the U.S., mainly.”

The buguroo report also noted that Dridex infrastructure is now being used to distribute the Locky ransomware sample.

Information gathered by buguroo show that Dridex has compromised systems in more than 100 countries and has collected credit card data affecting some 900 organizations. The company says that its review shows that over a 10-week period alone, attackers launched multiple Dridex campaigns that potentially compromised over 1 million credit cards. The growing number of victims in Latin America, the Middle East, and Africa, suggest that Dridex should be considered a global threat, the company has noted. 

Dridex first garnered attention in 2014 when security researchers reported it as part of a massive phishing campaign targeting small- and midsized businesses in the UK. Concerns over the malware being used to steal credentials that control access to SMB accounts with various targeted banks quickly prompted the FBI to issue a warning last year urging US organizations to be on the lookout for the threat.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

In October 2015, authorities in the US and UK announced they had disrupted the Dridex operation and arrested a Moldovan national in connection with it following a major collaborative effort involving law enforcement and private companies on both sides of the Atlantic. But less than a month later, several security researchers reported a fresh resurgence, in Dridex-related campaigns.

“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming” Ferrezuelo says. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”

The manner in which Dridex is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies, Ferrezuelo says. After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.