SECURITY EVANGELIST

About two-three years ago, Dridex was the king of financial malware, making its creators millions by reusing and improving the leaked Zeus GameOver code.

Just how many millions?

$13.6 m Officials believe that the cybercriminals behind Dridex and Dyre defrauded Internet users of around $13.6 million, before getting arrested in November 2016. However, because this is a complex criminal operation, the ones that got caught last year were the money mules, not the creators of the malware themselves.

In early January, cyber security researchers noticed a strange and steep decline in malicious campaigns spreading Dridex and Locky ransomware.

But the break didn’t last long, as Locky returned in surprising combinations, along with the Kovter click-fraud Trojan and using overlapping infrastructure with Sage ransomware.

As for Dridex, it also returned, with a new trick: it can now bypass Window’s UAC (User Account Control), thus increasing its stealthiest. This means that Windows won’t be able to trigger a security warning, thus alerting you that a piece of (in this case, malicious) software is trying to make unauthorized changes to your system.

How the current campaign unfolds

Through this new feature, Dridex is capable of automatically making changes to any system it infects, while the user remains unsuspecting.

In this current security alert, we explore the details of another spear phishing campaign that’s currently targeting Internet users and financial institutions in the United Kingdom.

This is one of a string of other similar campaigns that have emerged in the past month, whose main target was also the UK.

Would you open an email whose subject line is: “Your latest invoice is here”?

The current malicious campaign follows a well-know, but still effective recipe: an unrequested email claiming to include an invoice. The contents of the email are a brief phrase that says: “You can now see your latest invoice for your account.”

The pretended invoice includes a web link that, once clicked, points directly to a malicious online location (sanitized for your protection): https: //ipmsol-my.sharepoint [.] Com / personalize / data_ipmsolutions_com_au / _layouts / 15 / guestaccess.aspx? Docid = 0ecc3838bc3e743129b5f7b8c2bdf0600 & authkey = AU02X_uUY7wIScRIStgFzWs

-> Receipt Bank Invoice.scr

If this component opens, the system will be infected with one of the following Trojan downloaders: Madness, Votwup or QuantLoader. Their objective is to retrieve Dridex from the following URL (sanitized for your protection): http: // bog studio [.] Com / css / tsk.exe.

This Dridex strain immediately connects to a series of tier-1 C& C servers. Here is a sample:

5101120 [.] 73: 8343

91121.30 [.] 169: 4431

188 226 154 [.] 38: 2221

Among other things, Dridex uses these C & C servers to download the various plugins, such as:

modergoba [.] co

seliopna [.] co

The plugins include the following components (sanitized for your protection):

http: // modergoba [.] co / carte noir 67f87viub / lib / zs.dll

http: // modergoba [.] co / carte noir 67f87viub / lib / sql.dll

At the moment when the campaign was analyzed, it has a detection rate of 9/56 on VirusTotal:

virustotal detection rate

The objective is the same with Dridex: it still monitors the victim’s Internet traffic to spot banking websites and harvest login credentials and other account information.

If you’re unsure whether you’re protected against Dridex, this guide on maximizing your financial data security might be just what you need.

*This article features cyber intelligence provided by CSIS Security Group researchers.

drive-by-download-attacks
2016.11.08 INTERMEDIATE READ

How Drive-by Download Attacks Work – From Disbelief to Protection

Most Dangerous Malware
2016.04.25 INTERMEDIATE READ

Top 10 Financial Malware and How They Can Affect You

Financial Data Protection
2016.04.19 INTERMEDIATE READ

15 Steps to Maximize your Financial Data Protection [Updated]

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP