By Lord Remorin and Michael Marcos
The thing about takedowns is that these do not necessarily wipe out cybercriminal operations. In 2014, the ZeroAccess takedown affected the botnet’s click fraud operation, but infections continued to soar. DRIDEX’s case is similar as it continues to be a predominant threat to businesses and organizations despite the takedown of its multiple command-and-control (C&C) servers last October 2015. We also observed this trend last year which we detailed in our annual roundup report.
DRIDEX’s continued prevalence could be attributed to two main factors: the botnet’s efficient delivery mechanism, which leads to more affected users; and its resilient peer-to-peer infrastructure that allows it to continue its operation. We also surmise that DRIDEX is being peddled in cybercriminal underground markets, allowing other cybercriminals and attackers to use botnet for their malicious activities.
Figure 1. Steady growth of Dridex as compared to other online banking threats
Infiltrating the network via effective entry points and social engineering tactics
One reason DRIDEX makes for an effective cybercrime tool is its social engineering lures that appear to be geared toward unsuspecting employees in an organization. Most of the spam campaigns tied to DRIDEX use supposed copies of invoices, account statements, receipts, and legal statements. The spam even employ seemingly legitimate company domain names, thus tricking employees or users into opening file attachments.
Figure 2. Sample spam
DRIDEX also abuses macros to trigger system infections without users’ knowledge. It has its own macro downloader, which accounts for majority of the DRIDEX detection, instead of the actual TSPY_DRIDEX. Last February, we observed that some DRIDEX binaries are being delivered via JS file downloaders aside from its traditional macro document downloader. In one of the samples analyzed, the macro downloader drops a VBScript, which in turn downloads the actual payload.
Figure 3. Volume of spam with DRIDEX (macro) attachments (Dec 2015-Feb 2016)
Another contributing factor for DRIDEX’s prevalence is how it’s being distributed by notorious exploit kits like Angler and Rig through malvertisements. We recently saw activities of Angler exploit kit in Germany that dropped DRIDEX malware.
Targets using out-of-date OSs or applications and who see the malvertising may download DRIDEX on their systems after the exploit kit attack.
Our data reveals that indeed, large-scale enterprises and small- to medium-sized businesses (SMBs) are the ones heavily affected by this threat. They are likely affected entities due to the nature of the social engineering tactics used.
SMBs can be prone to such threat since they are not as secure as enterprises and their IT security and technologies are not as sophisticated or at par with enterprises. They also have crucial data that can be sold in the underground or use for other attacks.
Figure 4. Monthly volume of DRIDEX detections vis-à-vis distribution of affected victims by segment (Oct 2015-Feb 2016)
Resilient P2P infrastructure
While the earlier takedown disrupted its operation, DRIDEX managed to get back on its track with the aid of its resilient P2P network. During the takedown, security vendors, together with US and UK law enforcement and the Federal Bureau of Investigation (FBI), seized the C&C backend that stores the stolen banking information and the admin nodes, which are used for routing connections to C&C backend and sending out updates. Taking down an admin node prevents the sending of the information gathered back to the C&C. It is possible that not all admin nodes have been taken offline, or that the cybercriminals behind DRIDEX may have created backup nodes. As long as there’s an infected system, DRIDEX’s P2P network will continue to work.
On the other hand, its modular architecture allows this malware to become scalable when it comes to changes in functionality and in targets. Similar to the architectures of equally notorious online banking Trojans, DYRE and ZBOT, DRIDEX has standalone file and several plugins that can be easily added and modified. Its configuration file is written in XML format, which also makes it convenient for attackers to add more entities to its list of targets.
Large scale operation
DRIDEX operates using the botnet-as-a-service (BaaS) model. We delved closely into the threat post-takedown, and while there are minor changes in its code after the takedown last year, overall these modifications or enhancements do not affect the DRIDEX infection chain or how the botnet operates. Some of these small shifts include different name for autostart registry, macro code changes, and locations where files are dropped. Since DRIDEX is controlled by one group albeit distributed by different affiliates, samples distributed via different spam campaigns but released on the same day have the same variant or code. These can be determined via their revision or version numbers.
In terms of functionality, the malware’s P2P network communication does not appear to have been modified, most likely because doing so will destroy the whole P2P infrastructure. Each infected system on the network has its own encryption key, which is used for communicating with other nodes on the network. There was also no shift in targets as bots still use the same “botnet IDs” usually tied to a region in order to receive specific configurations that contain target banks in the said region.
Security measures against DRIDEX
Although takedowns slow down cybercriminal operations, a more effective solution in the long run will be to take down the actors behind these operations through arrests and convictions. This is why efforts to create and sustain public-private partnerships (PPP), such as how Trend Micro collaborates with law enforcement agencies across the globe by sharing threat intelligence and research findings on cybercrime, is needed more than ever.
DRIDEX will likely become more rampant this year. However, users and organizations can do basic security measures to protect their system and information. Since DRIDEX mostly uses spam as entry point to a system and a network, we strongly advise employees and users remain vigilant when opening emails even if these came from seemingly legitimate sources. It is also best to not enable macros in MS Word when opening suspicious email attachments to prevent malware execution. Enterprises should also create policies that block emails with attachments from outside or unknown sources. Keeping systems updated with patches is an added layer of protection against exploit kits that distribute DRIDEX.
Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. We also secure enterprises via our Trend Micro Deep Discovery that has email inspection layer, which can detect malicious attachment and URLs. Its advanced threat protection can detect DRIDEX thus preventing it from infecting the system and consequently, information theft.
Additional analysis by Lala Manly, Michael Casayuran, and Joseph C. Chen