Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2016
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Dridex Malware Now Used For Stealing Payment Card Data

An analysis of Dridex infrastructure shows dangerous changes, potentially new operators.

New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns -- and likely by a different set of threat actors than before.

Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used.

The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.

In addition to stealing banking credentials, the malware increasingly is also being used to steal credit card information via an Automatic Transfer System mechanism, says Ferrezuelo.

“Also, we found that victims are being targeted from companies all around the world, including [Latin America] and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK and the U.S., mainly.”

The buguroo report also noted that Dridex infrastructure is now being used to distribute the Locky ransomware sample.

Information gathered by buguroo show that Dridex has compromised systems in more than 100 countries and has collected credit card data affecting some 900 organizations. The company says that its review shows that over a 10-week period alone, attackers launched multiple Dridex campaigns that potentially compromised over 1 million credit cards. The growing number of victims in Latin America, the Middle East, and Africa, suggest that Dridex should be considered a global threat, the company has noted. 

Dridex first garnered attention in 2014 when security researchers reported it as part of a massive phishing campaign targeting small- and midsized businesses in the UK. Concerns over the malware being used to steal credentials that control access to SMB accounts with various targeted banks quickly prompted the FBI to issue a warning last year urging US organizations to be on the lookout for the threat.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

In October 2015, authorities in the US and UK announced they had disrupted the Dridex operation and arrested a Moldovan national in connection with it following a major collaborative effort involving law enforcement and private companies on both sides of the Atlantic. But less than a month later, several security researchers reported a fresh resurgence, in Dridex-related campaigns.

“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming” Ferrezuelo says. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”

The manner in which Dridex is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies, Ferrezuelo says. After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.