The Dridex banking Trojan has been updated with a new attack methodology that leverages a similar redirection attack scheme used by the Dyre Trojan, IBM X-Force researchers warn.
The researchers have discovered that “Evil Corp”, the cybercriminal group behind the Dridex banking Trojan, have made significant investments in the new attack methodology and also resolved internal bugs with the release of build v196769, which is version v.3.161. The updated malware was first detected on Jan. 6, 2016, Limor Kessem, Cybersecurity Evangelist, IBM, notes in a blog post.
Throughout 2015, Dridex, a successor of the Trojan known as Cridex, Feodo and Bugat, remained one of the dominant threats, albeit being relatively new to the threat landscape. IBM X-Force data shows that Dridex is among the top three most active banking Trojans in the world, even after authorities tried to take it down in October.
Less than a week after the law enforcement shutdown attempt in mid-October, Dridex was found to have remained active, with a new infection campaign observed toward the end of October. In late November, security companies ESET and Trend Micro warned of new Dridex variants and spread campaigns that managed to achieve high infection rates worldwide in only a few weeks.
The new Dridex build was immediately deployed in a campaign using the Andromeda botnet (with a wide reach, the botnet is used by many cybercriminals to spread malware, and has been focused mainly on targeting users in the United Kingdom through spam messages with an infected Microsoft Office file attachment.
The attachment, which was appears to be an invoice, contained poisoned macros and, once downloaded and opened on the victim’s computer, prompted them to enable macros to view content. However, once the victim enabled macros, malicious code was executed, resulting in the system being infected with Dridex if not appropriate protections were not in place.
Kessem explains that at this point the X-Force researchers discovered that the Trojan employed a redirection attack scheme concept copied from the Dyre Trojan. The difference between the two malware pieces is that, while Dyre redirects via a local proxy, Dridex redirects via local DNS poisoning.
The masterminds behind Dyre targeted over a dozen banks when they started using the new attack scheme, which eventually pushed them to switch back to using web injections and page replacements instead, said blog post notes.
As soon as the site replica was been created, the Trojan immediately redirects victims’ HTTP requests and sends them to a new, impostor URL. As researchers explain, while Dyre used a local proxy to do this, the new Dridex variant uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.
After authenticating on the fake website, the victim is presented with injections that ask for two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions. The Trojan harvests these details and sends them to the command-and-control server, which checks them for validity on the bank’s genuine website in real time.
If the login credentials are valid, the attackers can conduct a fraudulent transaction from the victim’s account while delaying the victim on the fake site via social engineering injections. Moreover, fraudsters can use additional injections to request additional details from the victim, should they encounter challenges on the bank’s website.
According to X-Force researchers, the new Dridex campaign targeted only two banks in the UK with the new redirection attacks, but expanded the list to 13 banks in only a week. They suggest that the masterminds behind Dridex targeted the first two banks for testing purposes only, and that they decided to expand operations once the other site replicas were ready.
The researchers also note that the similarities between the Dridex and Dyre Trojan could suggest that the two groups behind them share some key developers or management, and that Dridex might have borrowed or bought the site replicas from the Dyre group and then went to use the attack method in the same geography where Dyre used it before.
Dridex was also found to scale up in victim quality, as bank URLs on the target list are mainly dedicated subdomains for business and corporate account access. This suggests that the Trojan’s operators are looking to make large fraudulent transfers out of business accounts and are less focused on targeting personal banking.