Dridex Banking Trojan Makes a Resurgence, Targets USJust Six Months After Takedown, Malware Returns With New Tactics
Just six months after international law enforcement agencies coordinated a takedown to disrupt online banking credential theft linked to the banking Trojan Dridex, the malware has re-emerged with new attack tactics and new targets, including U.S. bank accounts, according to the cybersecurity firm F5 (see Inside the Dridex Malware Takedown).
Dridex, which previously focused its attacks on European bank accounts, has shifted its focus to the U.S. in recent months. The malware is typically distributed through phishing, and once PCs are infected, online banking credentials are stolen with web injections and redirects to fake webpages, F5 says in a new report.
"The Dridex target list was significantly expanded (129 redirect and injection directives)," mainly focusing its attacks against online U.S. bank accounts, users of social media sites that are related to the U.S., credit card companies and financial investment corporations, F5 claims.
"The most noticeable observation in the current web injects is that most of them are accompanied by activating the VNC [virtual network computing] functionality, which enables the fraudsters to remotely connect to their victim during the credentials theft," the research firm adds.
The firm claims that 80 percent of Dridex's latest targets are located in the U.S., based on information that was compiled in April.
Eward Driehuis, director of product management for cybersecurity and threat intelligence firm Fox-IT, says that although last year's takedown of a botnet linked to Dridex foiled the Trojan's operations for a few months, such takedowns often have a short-lived impact because so many different crime groups use malware. As a result, taking down a botnet linked to one crime group will not typically have an impact on other groups using the same malware (see Dridex Malware Campaign Disrupted).
"Ever since Business Club [the crime ring behind Gameover Zeus] members stopped P2P Zeus, in recent months Dridex has grown in size and also in operating models - not only for banking attacks, but also more targeted financial attacks, network penetration and even ransomware," Driehuis says. "We have tracked them for quite some time."
Attacks Migrate to U.S.
Ben Knieff, a senior analyst at the consultancy Aite, says malware attacks often migrate to the U.S. as hackers' techniques evolve.
"Attackers will test their malware in smaller markets first - low amount of attention and victims - and refine it in stages," he says. "It might start in Belgium or the Netherlands, then graduate to the U.K. or Germany before heading to the U.S."
And U.S. bank accounts are desirable targets for a number of reasons, Knieff adds. "The U.S. is, of course, the big market to hit - the dollar is a hard currency, there are many potential victims, and U.S. institutions generally have some of the weakest authentication controls. So if it works in the U.K., it will likely work even better in the U.S. As always, institutions need to try to be proactive and understand the threats that are emerging in other countries - not just Western Europe, but Eastern Europe, India, China and more - to understand what is likely to come next."
The best way to fight the spread of Dridex is stronger authentication to help block inappropriate access to accounts, says John Buzzard, director of product management for security firm Rippleshot Fraud Analytics.
"Dridex malware is focusing on stealing credentials to enable account takeovers to be orchestrated more effectively," Buzzard says. "Corporate targets for phishing are still a huge target, because thieves want corporate logins and passwords. And PINs captured and matched up to stolen card information immediately increases the street value for carders in underground forums."
Other observers say European banks have improved their intrusion detection rates, which has pushed criminals to target the U.S., where detection at some banks and businesses is not as advanced. Real-time behavioral analytics also has helped to mitigate risks in Europe, says one security expert, who asked not to be named.
The latest round of Dridex attacks are emerging as a part of combination attacks that seek to compromise more than online account data, Buzzard says. "It's possible that Dridex is used in combination with ransomware attacks. ... These are all classics; but still a situation where we find no immediate solution. People forget about the specific threat and move on to the 'threat du jour,' leaving themselves woefully open to attack."
In October, global law enforcement agencies and banks helped to take down a botnet used to wage Dridex attacks. At the time, officials claimed Dridex was responsible for at least $40 million in account takeover losses globally.
"Dridex started in the U.K., where we saw the first five- and six-figure fraud [amounts]," Andy Chandler, a senior vice president at Fox-IT, told Information Security Media Group last fall. "As they scaled their footprint, they also increased the amounts they would attempt to steal, and we did see them successfully take seven figures from business accounts."
Today, Chandler says the U.S. is seeing an increased amount of activity linked to Dridex, with a "higher percentage of the activity in the hybrid-style attacks against online banking users."
"But also we have seen these actors use their bots for more targeted types of attacks, too," such as those that go after specific financial data, he adds.