Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:00 PM
Connect Directly

Dridex Malware Now Used For Stealing Payment Card Data

An analysis of Dridex infrastructure shows dangerous changes, potentially new operators.

New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns -- and likely by a different set of threat actors than before.

Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used.

The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.

In addition to stealing banking credentials, the malware increasingly is also being used to steal credit card information via an Automatic Transfer System mechanism, says Ferrezuelo.

“Also, we found that victims are being targeted from companies all around the world, including [Latin America] and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK and the U.S., mainly.”

The buguroo report also noted that Dridex infrastructure is now being used to distribute the Locky ransomware sample.

Information gathered by buguroo show that Dridex has compromised systems in more than 100 countries and has collected credit card data affecting some 900 organizations. The company says that its review shows that over a 10-week period alone, attackers launched multiple Dridex campaigns that potentially compromised over 1 million credit cards. The growing number of victims in Latin America, the Middle East, and Africa, suggest that Dridex should be considered a global threat, the company has noted. 

Dridex first garnered attention in 2014 when security researchers reported it as part of a massive phishing campaign targeting small- and midsized businesses in the UK. Concerns over the malware being used to steal credentials that control access to SMB accounts with various targeted banks quickly prompted the FBI to issue a warning last year urging US organizations to be on the lookout for the threat.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

In October 2015, authorities in the US and UK announced they had disrupted the Dridex operation and arrested a Moldovan national in connection with it following a major collaborative effort involving law enforcement and private companies on both sides of the Atlantic. But less than a month later, several security researchers reported a fresh resurgence, in Dridex-related campaigns.

“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming” Ferrezuelo says. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”

The manner in which Dridex is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies, Ferrezuelo says. After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.