Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Dridex Malware Campaign Shifts to U.S.

Researchers at F5 Networks Security Operations Center (SOC) are warning of a new campaign of the Dridex web fraud malware. Previous campaigns had recently focused attacks on financial institutions in the United Kingdom, but among the new campaign’s malware configurations, only 6 percent of the targeted institutions are UK brands, versus 80 percent in the US and 5 percent in Canada.

Researchers at F5 Networks Security Operations Center (SOC) are warning of a new campaign of the Dridex web fraud malware. Previous campaigns had recently focused attacks on financial institutions in the United Kingdom, but among the new campaign’s malware configurations, only 6 percent of the targeted institutions are UK brands, versus 80 percent in the US and 5 percent in Canada.

Dyre is out, Dridex back in

The resurgence of the Dridex malware isn’t a surprise, as its main competitors for PC-based web fraud–SpyEye, Dyre, and Zeus–have all come under pressure from international law-enforcement agencies.

Two main operators of the SpyEye family have been shut down. Earlier this month, SecurityWeek reported that US authorities sentenced Russian national Aleksandr Andreevich Panin to nearly ten years in prison. Panin was attempting to travel through Atlanta, Georgia in the US when he was captured. The same court sentenced another fraudster, Algerian national Hamza Bendelladj, aka Bx1, to 15 years in prison and three years of supervised release.

The Dyre malware family has been in decline since February, when the Federal Security Service of the Russian Federation (the FSB) raided a Moscow film studio and arrested Dyre’s main operators.

Zeus is still among the most mature of the malware families. Its operator, Evgeniy Mikhailovich Bogachev, aka Slavik, is still at large. He’s one of the FBI’s most wanted; they’re offering a $3 million reward for information leading to his capture. The Zeus source code became open-source when it appeared on github (it is not clear if the leak was intentional). Since then, Zeus has been observed moving into the lucrative ransomware market.

With the Dyre and SpyEye arrests, and with Zeus moving to an adjacent market, Dridex and other malware will be working to grab their market share.

Dridex VNC backdoor

Dridex activates a Virtual Network Computing (VNC) backdoor, enabling its operators to remotely connect to their victim during the credentials theft and piggybacking the fraudster into the financial institution.

Dridex isn’t the only malware to utilize VNC; the Neverquest and Citadel malware families are also known to use the remote desktop software. The technique of remote-controlled desktops is ancient, tracing back even beyond the Cult of the Dead Cow’s Back Orifice tool in the previous millennium.

New form-grabbing targets

Dridex Malware Form Capture Code

Dridex also steals social media credentials for non-financial accounts, both over HTTP communication and HTTP over SSL (HTTPS) encrypted communication. According to F5, Dridex targets Yahoo, Microsoft, Twitter, Facebook, and AOL login pages. These credentials may then be used to attempt authentication against other internet properties with high-value asset logins.

F5 SOC researchers remind people that the general defense against the theft of online credentials is proper security hygiene. Two-factor authentication can help to avoid re-usage of credentials for other websites. Using different passwords for different websites is also common sense today, along with up-to-date endpoint security software.

Related: Dridex, Locky Using Forms to Hide Code

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.