Light Dark
January 19, 2016 By Limor Kessem 4 min read
Advanced Threats
Malware
Threat Intelligence
X-Force

IBM X-Force researchers have been following new developments in the Dridex Trojan’s attack methodologies. In their latest alert, researchers divulged a new modus operandi launched by Evil Corp, the cybercrime group that owns and operates the Dridex banking Trojan.

Dridex Learns From Dyre

Dridex recently released a new malware build with some internal bug fixes. The new version, v196769, which is v.3.161, was first detected on Jan. 6, 2016. The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K.

Recipients who received Dridex spam got a Microsoft Office file attachment purporting to be an invoice via email. The file contained poisoned macros that, once enabled, launch the exploitation and infection process of the Dridex Trojan. The resulting communications appear to be taking place with Dridex’s sub-botnet No. 220.

X-Force researchers studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme. The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.

What Are Redirection Attacks?

The overall idea behind redirection attacks is to send the infected victim to an entirely new website when they try to browse to their online banking site, never allowing them to reach the bank’s real site. By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.

Creating Replica Sites

To prepare for such a redirection attack, the cybercrime gang needs to invest heavily in creating website replicas of targeted banks. When Dyre started using this scheme, it was targeting over a dozen banks — a rather resource-intensive operation that eventually drove Dyre’s operators to switch back to using webinjections and page replacements.

Once the site replicas are ready, the Trojan causes an immediate redirection of victims’ HTTP requests and sends them to a new, impostor URL without any visual clue or visible delay. Dyre used a local proxy to do this, and Dridex now uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.

In DNS cache poisoning, an attacker inserts a fake address record for an Internet domain into the endpoint’s cache DNS. As a result, the cache will use the fake address in subsequent browsing requests and route traffic to the address of the attacker’s server. For as long as the fake entry is cached by the server, browsers or email servers will automatically send victims to the address provided by the compromised DNS server.

Asking the Right Questions

Visually, the victim sees the site replica and the correct URL in the browser’s address bar. They won’t typically suspect that anything happened and will proceed to log in as usual. However, since the victim has never actually reached the bank’s website, the bank’s server does not see the login and has no information on the session.

After the initial session authentication on the fake website, the victim is presented with injections that instruct him or her to provide two-factor authentication transaction codes (e.g., tokens, second passwords, replies to secret questions, etc.). Those details are harvested by the Trojan, sent to the command-and-control server and then automatically checked for validity on the bank’s genuine website in real time. If the login credentials are valid, the fraudsters can conduct a fraudulent transaction from their own endpoint via account takeover.

The fraudsters initiate the illicit transaction while the victim is being delayed by the social engineering injections on the fake site. If the fraudsters lack any details or face additional challenges on the bank’s website, they use more injections to solicit the victim’s assistance. In cases of successful information harvesting, the money is moved from the victim’s account to a mule account.

Dridex Scales Up in Quantity and Quality

At the initial phase of the new redirection attacks, Dridex’s operators only targeted two banks in the U.K. Within a week, that list expanded to include 13 banks, all of which are based in the U.K. It is possible that Dridex started with testing on the first two banks and then, once the other site replicas were ready, added more banks to its target list.

Dridex seems to be heavily inspired by the Dyre Trojan, and it is not impossible that the two groups share some key developers or management. It’s therefore possible that Dridex borrowed or bought the site replicas from the Dyre group and moved to the new attack method in the same geography where Dyre used it before.

Dridex also continues to scale up in victim quality. The bank URLs on the target list are, for the most part, the dedicated subdomains for business and corporate account access. By targeting the higher-value customers in each bank, Dridex’s operators are clearly planning to make large fraudulent transfers out of business accounts and are less enticed by personal banking.

Read the white paper: Staying ahead of threats with global threat intelligence

Global Perspective

Dridex’s ranking on the global malware list has been consistent throughout 2015 and shows it is one of the dominant threats. IBM X-Force data indicated that Dridex is one of the top three most active banking Trojans in the world, even after closely escaping a law enforcement shutdown attempt in October 2015.

The chart below shows Dridex’s ranking among the top offenders on the financial malware roster for the year of 2015, according to IBM Security Trusteer. IBM X-Force researchers expect Dridex to maintain its dominance in the cybercrime arena this year.

At the time of this writing, the Dridex sample analyzed by IBM X-Force is only properly detected by four antivirus vendors out of 56, according to VirusTotal.

Detecting and Fighting Dridex

IBM Security Trusteer has worked with customers to study and stop Dridex attacks. It can be helpful for banks that wish to learn more about this high-risk threat. To help stop threats such as Dridex, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in a region.

On the bank’s side, fighting evolving threats — such as Dridex’s redirection attacks — is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Sample MD5:  b24dec9f053f8e3ff698aea4e4eb4ccd

 |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature