IBM X-Force researchers have been following new developments in the Dridex Trojan’s attack methodologies. In their latest alert, researchers divulged a new modus operandi launched by Evil Corp, the cybercrime group that owns and operates the Dridex banking Trojan.
Dridex Learns From Dyre
Dridex recently released a new malware build with some internal bug fixes. The new version, v196769, which is v.3.161, was first detected on Jan. 6, 2016. The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K.
Recipients who received Dridex spam got a Microsoft Office file attachment purporting to be an invoice via email. The file contained poisoned macros that, once enabled, launch the exploitation and infection process of the Dridex Trojan. The resulting communications appear to be taking place with Dridex’s sub-botnet No. 220.
X-Force researchers studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme. The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.
What Are Redirection Attacks?
The overall idea behind redirection attacks is to send the infected victim to an entirely new website when they try to browse to their online banking site, never allowing them to reach the bank’s real site. By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.
Creating Replica Sites
To prepare for such a redirection attack, the cybercrime gang needs to invest heavily in creating website replicas of targeted banks. When Dyre started using this scheme, it was targeting over a dozen banks — a rather resource-intensive operation that eventually drove Dyre’s operators to switch back to using webinjections and page replacements.
Once the site replicas are ready, the Trojan causes an immediate redirection of victims’ HTTP requests and sends them to a new, impostor URL without any visual clue or visible delay. Dyre used a local proxy to do this, and Dridex now uses DNS poisoning on the local endpoint to redirect the victim to pages it controls.
In DNS cache poisoning, an attacker inserts a fake address record for an Internet domain into the endpoint’s cache DNS. As a result, the cache will use the fake address in subsequent browsing requests and route traffic to the address of the attacker’s server. For as long as the fake entry is cached by the server, browsers or email servers will automatically send victims to the address provided by the compromised DNS server.
Asking the Right Questions
Visually, the victim sees the site replica and the correct URL in the browser’s address bar. They won’t typically suspect that anything happened and will proceed to log in as usual. However, since the victim has never actually reached the bank’s website, the bank’s server does not see the login and has no information on the session.
After the initial session authentication on the fake website, the victim is presented with injections that instruct him or her to provide two-factor authentication transaction codes (e.g., tokens, second passwords, replies to secret questions, etc.). Those details are harvested by the Trojan, sent to the command-and-control server and then automatically checked for validity on the bank’s genuine website in real time. If the login credentials are valid, the fraudsters can conduct a fraudulent transaction from their own endpoint via account takeover.
The fraudsters initiate the illicit transaction while the victim is being delayed by the social engineering injections on the fake site. If the fraudsters lack any details or face additional challenges on the bank’s website, they use more injections to solicit the victim’s assistance. In cases of successful information harvesting, the money is moved from the victim’s account to a mule account.
Dridex Scales Up in Quantity and Quality
At the initial phase of the new redirection attacks, Dridex’s operators only targeted two banks in the U.K. Within a week, that list expanded to include 13 banks, all of which are based in the U.K. It is possible that Dridex started with testing on the first two banks and then, once the other site replicas were ready, added more banks to its target list.
Dridex seems to be heavily inspired by the Dyre Trojan, and it is not impossible that the two groups share some key developers or management. It’s therefore possible that Dridex borrowed or bought the site replicas from the Dyre group and moved to the new attack method in the same geography where Dyre used it before.
Dridex also continues to scale up in victim quality. The bank URLs on the target list are, for the most part, the dedicated subdomains for business and corporate account access. By targeting the higher-value customers in each bank, Dridex’s operators are clearly planning to make large fraudulent transfers out of business accounts and are less enticed by personal banking.
Read the white paper: Staying ahead of threats with global threat intelligence
Global Perspective
Dridex’s ranking on the global malware list has been consistent throughout 2015 and shows it is one of the dominant threats. IBM X-Force data indicated that Dridex is one of the top three most active banking Trojans in the world, even after closely escaping a law enforcement shutdown attempt in October 2015.
The chart below shows Dridex’s ranking among the top offenders on the financial malware roster for the year of 2015, according to IBM Security Trusteer. IBM X-Force researchers expect Dridex to maintain its dominance in the cybercrime arena this year.
At the time of this writing, the Dridex sample analyzed by IBM X-Force is only properly detected by four antivirus vendors out of 56, according to VirusTotal.
Detecting and Fighting Dridex
IBM Security Trusteer has worked with customers to study and stop Dridex attacks. It can be helpful for banks that wish to learn more about this high-risk threat. To help stop threats such as Dridex, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in a region.
On the bank’s side, fighting evolving threats — such as Dridex’s redirection attacks — is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.
Sample MD5: b24dec9f053f8e3ff698aea4e4eb4ccd
Principal Consultant, X-Force Cyber Crisis Management, IBM