Dridex malware adopts redirection attacks to target high-value UK banking customers

Piggy bank 170The Dridex trojan has adopted a new attack methodology that it is using to target high-value customers of several UK banks.

Limor Kessem, a cybersecurity evangelist at IBM, has written a blog post in which she describes the attack campaign first detected in early January following the release of a new build for the Dridex malware.

"The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K."

The infection process begins when unsuspecting users open up a Microsoft Office email attachment purporting to be an invoice. That file contains malicious macros which, when enabled, launches the exploit and installs Dridex on the infected machine.

Notwithstanding the belief that an international takedown at least partially disabled the malware back in October of last year, this campaign attests to the fact that Dridex's authors are still up to no good.

Malware chart

If anything, the trojan continues to maintain its world dominance, and it is still evolving. Kessem goes on to note in her article how Dridex has incorporated the use of DNS cache poisoning to redirect victims to a fake address whenever they search for a targeted bank. It is then that the attackers lure users into handing over their sensitive financial information.

"After the initial session authentication on the fake website, the victim is presented with injections that instruct him or her to provide two-factor authentication transaction codes (e.g., tokens, second passwords, replies to secret questions, etc.)."

"Those details are harvested by the Trojan, sent to the command-and-control server and then automatically checked for validity on the bank’s genuine website in real time. If the login credentials are valid, the fraudsters can conduct a fraudulent transaction from their own endpoint via account takeover."

At that point, as long as the victim is still distracted by the social engineering injections, the malware authors can use as many fake authentication injections as they want to gain access to the victim's bank account and move the funds stored therein to a mule account.

Dns security figure

Thus far, these redirection attacks, which the IBM X-Force team suspects may be inspired and perhaps even linked to earlier attack campaigns launched by the Dyre trojan, have been observed at at least 13 separate UK banks. The target list has predominantly included bank URLs that act as the dedicated subdomains for businesses and corporate accounts, suggesting that Dridex is after the big money victims.

To meet this threat, Kessem advises that financial organizations make an investment in solutions that are capable of detecting infections and protecting customer endpoints in the case of evolving malware like Dridex.

As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

One Response

  1. coyote

    January 20, 2016 at 10:36 pm #

    Yet despite the known problems with DNS that DNSSEC can help alleviate.. DNSSEC isn't as widely deployed as it should probably be.

    In fact… Graham… maybe you should consider it for here ? A quick dig (which I admit I might not have dug deep enough because I'm quite exhausted and can barely keep eyes open .. but don't think that is it) shows that grahamcluley.com does not have DNSSEC related records.

Leave a Reply