Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Dridex Trojan Borrows Redirection Attack Scheme from Dyre Malware

The Dridex banking Trojan has been updated with a new attack methodology that leverages a similar redirection attack scheme used by the Dyre Trojan, IBM X-Force researchers warn.

The Dridex banking Trojan has been updated with a new attack methodology that leverages a similar redirection attack scheme used by the Dyre Trojan, IBM X-Force researchers warn.

The researchers have discovered that “Evil Corp”, the cybercriminal group behind the Dridex banking Trojan, have made significant investments in the new attack methodology and also resolved internal bugs with the release of build v196769, which is version v.3.161. The updated malware was first detected on Jan. 6, 2016, Limor Kessem, Cybersecurity Evangelist, IBM, notes in a blog post.

Throughout 2015, Dridex, a successor of the Trojan known as Cridex, Feodo and Bugat, remained one of the dominant threats, albeit being relatively new to the threat landscape. IBM X-Force data shows that Dridex is among the top three most active banking Trojans in the world, even after authorities tried to take it down in October.

Less than a week after the law enforcement shutdown attempt in mid-October, Dridex was found to have remained active, with a new infection campaign observed toward the end of October. In late November, security companies ESET and Trend Micro warned of new Dridex variants and spread campaigns that managed to achieve high infection rates worldwide in only a few weeks.

The new Dridex build was immediately deployed in a campaign using the Andromeda botnet (with a wide reach, the botnet is used by many cybercriminals to spread malware, and has been focused mainly on targeting users in the United Kingdom through spam messages with an infected Microsoft Office file attachment.

The attachment, which was appears to be an invoice, contained poisoned macros and, once downloaded and opened on the victim’s computer, prompted them to enable macros to view content. However, once the victim enabled macros, malicious code was executed, resulting in the system being infected with Dridex if not appropriate protections were not in place.

Kessem explains that at this point the X-Force researchers discovered that the Trojan employed a redirection attack scheme concept copied from the Dyre Trojan. The difference between the two malware pieces is that, while Dyre redirects via a local proxy, Dridex redirects via local DNS poisoning.

The masterminds behind Dyre targeted over a dozen banks when they started using the new attack scheme, which eventually pushed them to switch back to using web injections and page replacements instead, said blog post notes.

Advertisement. Scroll to continue reading.

As soon as the site replica was been created, the Trojan immediately redirects victims’ HTTP requests and sends them to a new, impostor URL. As researchers explain, while Dyre used a local proxy to do this, the new Dridex variant uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.

After authenticating on the fake website, the victim is presented with injections that ask for two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions. The Trojan harvests these details and sends them to the command-and-control server, which checks them for validity on the bank’s genuine website in real time.

If the login credentials are valid, the attackers can conduct a fraudulent transaction from the victim’s account while delaying the victim on the fake site via social engineering injections. Moreover, fraudsters can use additional injections to request additional details from the victim, should they encounter challenges on the bank’s website.

According to X-Force researchers, the new Dridex campaign targeted only two banks in the UK with the new redirection attacks, but expanded the list to 13 banks in only a week. They suggest that the masterminds behind Dridex targeted the first two banks for testing purposes only, and that they decided to expand operations once the other site replicas were ready.

The researchers also note that the similarities between the Dridex and Dyre Trojan could suggest that the two groups behind them share some key developers or management, and that Dridex might have borrowed or bought the site replicas from the Dyre group and then went to use the attack method in the same geography where Dyre used it before.

Dridex was also found to scale up in victim quality, as bank URLs on the target list are mainly dedicated subdomains for business and corporate account access. This suggests that the Trojan’s operators are looking to make large fraudulent transfers out of business accounts and are less focused on targeting personal banking.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...