• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Hello old friend: DRIDEX at it again

Hello old friend: DRIDEX at it again

  • Posted on:June 23, 2016
  • Posted in:Industry News, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0
Dridex is back at it again with the scam emails.

If there's one thing that you can count on coming back, it's DRIDEX.

This piece of malicious code has a history of being particularly resilient. Over the past couple of years, it has surfaced and begun to make a name for itself as the successor to the Gameover Zeus malware, according to Trend Micro. DRIDEX, a banking malware that leverages programs within Microsoft Office to infect financial systems, is unique because it operates under a Botnet-as-a-Service business model, using multiple servers to create several bot networks that list target banks.

Higher powers-that-be are even getting into the fray with DRIDEX. In October, Trend Micro reported that the FBI had partnered with various security vendors to orchestrate a takedown of the malware and its perpetrators, leading to the seizure of multiple servers being used by DRIDEX to infiltrate systems and steal information.

So far, the malware has been the culprit of successful attacks against banking institutions. CNBC reported that Andrey Ghinkul, a 30-year-old hacker from Moldova, was arrested by the FBI in October in connection with a total of $30.7 million stolen using this malicious program. This is how extensively DRIDEX has been able to impact companies on a global scale – so much so that the FBI and the U.K.'s National Crime Agency have been called in to eradicate it.

DRIDEX is back at it again

Despite the dramatic takedown of the malware and subsequent charges filed against its administrators, it seems that what is dead may never actually die. Over the past few months since the FBI takedown, the malware has been mildly silent. But recently, Trend Micro researchers reported that DRIDEX has exhibited a spike in spam email activity in the U.S., Brazil, China, Germany and Japan. The U.S. was the victim of most of these email attacks, at nearly 60 percent.

Usually, these kinds of spam emails include fake invoices requesting that users divulge banking information. It seems that this time around, the perpetrators of DRIDEX have a different strategy up their sleeves.

"There are significant differences from this particular DRIDEX campaign as opposed to its previous waves," Trend Micro researchers wrote. "Instead of the usual fake invoice or notification baits, DRIDEX plays on people's fears of having their accounts compromised."

The emails usually carry language that would strike fear in the hearts of those targeted, with subject lines like "Account Compromised." This kind of attack, which works on certain kinds of people better than others, attempts to get users to open the email and click on any link by using fear tactics. Even worse, now it's able to use the command-line program Certutil, which allows DRIDEX to pass itself off as a legitimate certificate. In other words, to unwary eyes, the email will look real.

The program, therefore, is banking on you opening the email attachments, which supposedly include the full report about how your account information has been accessed. This, of course, is the beginning of the malware's infiltration.

Look out for more DRIDEX in the future

This isn't the only recent resurgence of the DRIDEX malware. At the beginning of April 2016, Dark Reading contributor Jai Vijayan reported that it was being used to steal payment card data by different actors than it had been in the past.

"The manner in which DRIDEX is currently being used also is consistent with the manner in which other major cyber groups have evolved their strategies," Vijayan wrote, paraphrasing buguroo CTO and co-founder Pablo de la Riva Ferrezuelo. "After initially using the malware themselves, such groups have tended to sell it for use to other groups and eventually the code leaks to the broader underground community."

What does this mean? There's no shortage of hackers looking to exploit your banking information for their own nefarious purposes, and if the code for DRIDEX is still lurking, you can bet these malicious actors will be using it – no matter whether men like Ghinkul are behind bars or not.

How to combat banking malware

Utilizing malicious code to infiltrate and steal banking data is one of the most popular ways for hackers to gain access to confidential financial information, as the use of the DRIDEX malware demonstrates. Banking malware has been used in the past to steal millions of dollars from financial services organizations.

When old strains of malware become a new threat, it's crucial to make sure your computer systems are protected. In addition, it's best practice to avoid clicking on links in emails that come from unknown entities. To keep systems safe, cyber security products that track credibility of web domains are going to be the most useful, along with file reputation checking. The bottom line is: Don't be fooled by DRIDEX email scams, and invest in cyber security solutions that can minimize the impact of these targeted attacks.

Related posts:

  1. Finance industry: Money-stealing malware to be aware of
  2. Is online banking safe?
  3. DRIDEX: A continuing threat
  4. Trend Micro Partnership on DRIDEX Takedown

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.