Within the last year, a formidable threat appeared – a new malware sample that would prove particularly dangerous. Its malicious capabilities focused on online banking activities, and was quickly recognized as the successor to another harmful sample, CRIDEX. This new malware was dubbed DRIDEX, and it wasn't long before this sample was known throughout the security sector.
Recently, however, Trend Micro and other security vendors and investigative organizations made some headway in their pursuit of DRIDEX. Through a mutual partnership, these groups were able to put a dent to DRIDEX's infection capabilities. While it is not a final fix, it is a big step in the right direction.
Today, we'll take a look at the DRIDEX sample, including what makes it so malicious and how authorities were able to stop it in its tracks – for now at least.
DRIDEX: New banking malware appears
In November 2014, Trend Micro first reported on DRIDEX, the banking malware sample that appeared to have clear connections to CRIDEX, another dangerous infection seen just a few years before.
"Both CRIDEX and DRIDEX steal personal information, specifically related data to online banking," Trend Micro threat response engineer Rhena Inocencio wrote. "DRIDEX is considered as the successor because it uses a new way to steal information – via HTML injections."
In addition to using HTML injections to make off with stolen data, DRIDEX also differentiated itself from CRIDEX through the use of spam-laden Microsoft Word documents as its way to deliver malicious macro code. CRIDEX, on the other hand, relied on exploit kit spam attacks for its payload.
From the moment of attack, DRIDEX looks to fly under the radar and trick users. According to Inocencio, DRIDEX first appears to victims as a legitimate-looking spam message. The malware has even been known to use the name of real organizations in the finance industry, and the malicious Word doc attachments are referred to ask invoices or accounting documents in the spam message.
Once the victim opens the attachment, they may see a blank screen. This is a sneaky trick by the malware to encourage the user to switch on the macro feature, which is disabled in default settings. A notification will appear, asking the victim to enable the macro feature, which allows the malicious attachment to download the DRIDEX macro code, TSPY_DRIDEX.WQJ.
After being installed on the victim's machine, the malware is able to monitor for online banking-related activities. In the past, it has mainly targeted users in Australia, the U.K., the U.S. and Italy. Therefore, its configuration file includes a list of specific banks common in these regions, including the Bank of Scotland, Lloyds Bank, Barclays and Triodos Bank. The sample specifically monitors for activities related to these institutions, and uses screenshots, grabbing and site injects to steal the necessary information.
Industry partnership and server takedown
After being in the threat environment for nearly a year, Trend Micro and other authorities began working to eliminate DRIDEX. In October 2015, Trend Micro announced a partnership with the FBI and other security researchers in an effort to take down this malicious sample.
According to Trend Micro, law enforcement were able to obtain the necessary court documents to legally seize several command-and-control servers used for DRIDEX infection.
"This seizure crippled the malware's C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks," Trend Micro noted in a blog post.
Not only was this a huge victory for the security industry, but it also had a considerable impact on the overall threat environment. Because DRIDEX largely filled the gap after the Gameover Zeus malware was taken down in June 2014, the seizure of DRIDEX servers was a big step for user privacy and security overall.
"This action, coupled with the prior action against Gameover Zeus, gives a clear message that the criminals may be ready to exercise new attacks in the face of successful law enforcement action, but law enforcement and the industry are also ready to act quickly to take the new attacks back down," Trend Micro noted.