Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Dridex Malware Campaign Shifts to U.S.

Researchers at F5 Networks Security Operations Center (SOC) are warning of a new campaign of the Dridex web fraud malware. Previous campaigns had recently focused attacks on financial institutions in the United Kingdom, but among the new campaign’s malware configurations, only 6 percent of the targeted institutions are UK brands, versus 80 percent in the US and 5 percent in Canada.

Researchers at F5 Networks Security Operations Center (SOC) are warning of a new campaign of the Dridex web fraud malware. Previous campaigns had recently focused attacks on financial institutions in the United Kingdom, but among the new campaign’s malware configurations, only 6 percent of the targeted institutions are UK brands, versus 80 percent in the US and 5 percent in Canada.

Dyre is out, Dridex back in

The resurgence of the Dridex malware isn’t a surprise, as its main competitors for PC-based web fraud–SpyEye, Dyre, and Zeus–have all come under pressure from international law-enforcement agencies.

Two main operators of the SpyEye family have been shut down. Earlier this month, SecurityWeek reported that US authorities sentenced Russian national Aleksandr Andreevich Panin to nearly ten years in prison. Panin was attempting to travel through Atlanta, Georgia in the US when he was captured. The same court sentenced another fraudster, Algerian national Hamza Bendelladj, aka Bx1, to 15 years in prison and three years of supervised release.

The Dyre malware family has been in decline since February, when the Federal Security Service of the Russian Federation (the FSB) raided a Moscow film studio and arrested Dyre’s main operators.

Zeus is still among the most mature of the malware families. Its operator, Evgeniy Mikhailovich Bogachev, aka Slavik, is still at large. He’s one of the FBI’s most wanted; they’re offering a $3 million reward for information leading to his capture. The Zeus source code became open-source when it appeared on github (it is not clear if the leak was intentional). Since then, Zeus has been observed moving into the lucrative ransomware market.

With the Dyre and SpyEye arrests, and with Zeus moving to an adjacent market, Dridex and other malware will be working to grab their market share.

Dridex VNC backdoor

Advertisement. Scroll to continue reading.

Dridex activates a Virtual Network Computing (VNC) backdoor, enabling its operators to remotely connect to their victim during the credentials theft and piggybacking the fraudster into the financial institution.

Dridex isn’t the only malware to utilize VNC; the Neverquest and Citadel malware families are also known to use the remote desktop software. The technique of remote-controlled desktops is ancient, tracing back even beyond the Cult of the Dead Cow’s Back Orifice tool in the previous millennium.

New form-grabbing targets

Dridex Malware Form Capture Code

Dridex also steals social media credentials for non-financial accounts, both over HTTP communication and HTTP over SSL (HTTPS) encrypted communication. According to F5, Dridex targets Yahoo, Microsoft, Twitter, Facebook, and AOL login pages. These credentials may then be used to attempt authentication against other internet properties with high-value asset logins.

F5 SOC researchers remind people that the general defense against the theft of online credentials is proper security hygiene. Two-factor authentication can help to avoid re-usage of credentials for other websites. Using different passwords for different websites is also common sense today, along with up-to-date endpoint security software.

Related: Dridex, Locky Using Forms to Hide Code

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.