New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns -- and likely by a different set of threat actors than before.
Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used.
The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.
In addition to stealing banking credentials, the malware increasingly is also being used to steal credit card information via an Automatic Transfer System mechanism, says Ferrezuelo.
“Also, we found that victims are being targeted from companies all around the world, including [Latin America] and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK and the U.S., mainly.”
The buguroo report also noted that Dridex infrastructure is now being used to distribute the Locky ransomware sample.
Information gathered by buguroo show that Dridex has compromised systems in more than 100 countries and has collected credit card data affecting some 900 organizations. The company says that its review shows that over a 10-week period alone, attackers launched multiple Dridex campaigns that potentially compromised over 1 million credit cards. The growing number of victims in Latin America, the Middle East, and Africa, suggest that Dridex should be considered a global threat, the company has noted.
Dridex first garnered attention in 2014 when security researchers reported it as part of a massive phishing campaign targeting small- and midsized businesses in the UK. Concerns over the malware being used to steal credentials that control access to SMB accounts with various targeted banks quickly prompted the FBI to issue a warning last year urging US organizations to be on the lookout for the threat.
In October 2015, authorities in the US and UK announced they had disrupted the Dridex operation and arrested a Moldovan national in connection with it following a major collaborative effort involving law enforcement and private companies on both sides of the Atlantic. But less than a month later, several security researchers reported a fresh resurgence, in Dridex-related campaigns.
“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming” Ferrezuelo says. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”
The manner in which Dridex is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies, Ferrezuelo says. After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community.
- Dridex Takedown Might Show Evidence Of Good Guys’ Gains
- Dridex Botnet Still Alive And Kicking
- Attack Steals Online Banking Credentials From SMBs