Security Alert: Dridex Financial Malware Targets UK Users in Fake Invoice Campaign
Dridex is back and it’s even stealthier than before
About two-three years ago, Dridex was the king of financial malware, making its creators millions by reusing and improving the leaked Zeus GameOver code.
Just how many millions?
$13.6 m Officials believe that the cybercriminals behind Dridex and Dyre defrauded Internet users of around $13.6 million, before getting arrested in November 2016. However, because this is a complex criminal operation, the ones that got caught last year were the money mules, not the creators of the malware themselves.
In early January, cyber security researchers noticed a strange and steep decline in malicious campaigns spreading Dridex and Locky ransomware.
As for Dridex, it also returned, with a new trick: it can now bypass Window’s UAC (User Account Control), thus increasing its stealthiest. This means that Windows won’t be able to trigger a security warning, thus alerting you that a piece of (in this case, malicious) software is trying to make unauthorized changes to your system.
How the current campaign unfolds
Through this new feature, Dridex is capable of automatically making changes to any system it infects, while the user remains unsuspecting.
In this current security alert, we explore the details of another spear phishing campaign that’s currently targeting Internet users and financial institutions in the United Kingdom.
This is one of a string of other similar campaigns that have emerged in the past month, whose main target was also the UK.
Would you open an email whose subject line is: “Your latest invoice is here”?
The current malicious campaign follows a well-know, but still effective recipe: an unrequested email claiming to include an invoice. The contents of the email are a brief phrase that says: “You can now see your latest invoice for your account.”
The pretended invoice includes a web link that, once clicked, points directly to a malicious online location (sanitized for your protection): https: //ipmsol-my.sharepoint [.] Com / personalize / data_ipmsolutions_com_au / _layouts / 15 / guestaccess.aspx? Docid = 0ecc3838bc3e743129b5f7b8c2bdf0600 & authkey = AU02X_uUY7wIScRIStgFzWs
-> Receipt Bank Invoice.scr
If this component opens, the system will be infected with one of the following Trojan downloaders: Madness, Votwup or QuantLoader. Their objective is to retrieve Dridex from the following URL (sanitized for your protection): http: // bog studio [.] Com / css / tsk.exe.
This Dridex strain immediately connects to a series of tier-1 C& C servers. Here is a sample:
5101120 [.] 73: 8343
91121.30 [.] 169: 4431
188 226 154 [.] 38: 2221
Among other things, Dridex uses these C & C servers to download the various plugins, such as:
modergoba [.] co
seliopna [.] co
The plugins include the following components (sanitized for your protection):
http: // modergoba [.] co / carte noir 67f87viub / lib / zs.dll
http: // modergoba [.] co / carte noir 67f87viub / lib / sql.dll
At the moment when the campaign was analyzed, it has a detection rate of 9/56 on VirusTotal:
The objective is the same with Dridex: it still monitors the victim’s Internet traffic to spot banking websites and harvest login credentials and other account information.
If you’re unsure whether you’re protected against Dridex, this guide on maximizing your financial data security might be just what you need.
*This article features cyber intelligence provided by CSIS Security Group researchers.