Limor Kessem, a cybersecurity evangelist at IBM, has written a blog post in which she describes the attack campaign first detected in early January following the release of a new build for the Dridex malware.
“The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K.”
The infection process begins when unsuspecting users open up a Microsoft Office email attachment purporting to be an invoice. That file contains malicious macros which, when enabled, launches the exploit and installs Dridex on the infected machine.
Notwithstanding the belief that an international takedown at least partially disabled the malware back in October of last year, this campaign attests to the fact that Dridex’s authors are still up to no good.
If anything, the trojan continues to maintain its world dominance, and it is still evolving. Kessem goes on to note in her article how Dridex has incorporated the use of DNS cache poisoning to redirect victims to a fake address whenever they search for a targeted bank. It is then that the attackers lure users into handing over their sensitive financial information.
“After the initial session authentication on the fake website, the victim is presented with injections that instruct him or her to provide two-factor authentication transaction codes (e.g., tokens, second passwords, replies to secret questions, etc.).”
“Those details are harvested by the Trojan, sent to the command-and-control server and then automatically checked for validity on the bank’s genuine website in real time. If the login credentials are valid, the fraudsters can conduct a fraudulent transaction from their own endpoint via account takeover.”
At that point, as long as the victim is still distracted by the social engineering injections, the malware authors can use as many fake authentication injections as they want to gain access to the victim’s bank account and move the funds stored therein to a mule account.
Thus far, these redirection attacks, which the IBM X-Force team suspects may be inspired and perhaps even linked to earlier attack campaigns launched by the Dyre trojan, have been observed at at least 13 separate UK banks. The target list has predominantly included bank URLs that act as the dedicated subdomains for businesses and corporate accounts, suggesting that Dridex is after the big money victims.
To meet this threat, Kessem advises that financial organizations make an investment in solutions that are capable of detecting infections and protecting customer endpoints in the case of evolving malware like Dridex.
As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.