Has Dridex been brushing up on its Latvian? Or perhaps its written Estonian skills? Maybe it’s preparing a long overseas stay requiring offshore banking accounts in the Cayman Islands? Recent Dridex configurations analyzed by IBM X-Force reveal that the new wave of Dridex attacks is resilient and more complex than your average malware campaign.

Following several quiet months, a spike in renewed activity suggests the gang operating Dridex is picking up speed with precision and planning.

Unlikely Targets

According to IBM X-Force Research, Dridex configurations from the past two months are replete with a hefty count of targets in some more common countries, such as the U.S., U.K., Canada and Australia. However, the Trojan is targeting some less charted territories as well, such as Lithuania, Latvia, Estonia, Lebanon and Ukraine, to name a few. This is quite uncommon for any banking Trojan.

Per its configuration files, Dridex currently targets over 20 Latvian banks, three banks in Estonia, three in Lithuania and one in Ukraine, among its other uncommon choices of late.

Figure 1. Dridex Configuration Geo Distribution; MD5: f5d2d004ac22b17fd48e28f85c9162bf. Source: IBM Trusteer)

Why would Dridex target just one bank in Ukraine, Lebanon or Lichtenstein? Perhaps the developers are moving money to and from these banks rather than stealing from them. Or maybe they start by testing one bank in a given region before developing more elaborate configurations.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Dridex Branches Out

In most cases, Dridex is after retail banking accounts (48 percent of targets), but next on its list are banking platforms and URLs leading to:

  • Business banking;
  • Treasury services;
  • Commercial banking;
  • Corporate banking;
  • Investment banking;
  • ACH payments and payroll services;
  • Offshore banking;
  • Private banking;
  • Wealth management; and
  • Background checks and recruitment sites.

There sure seems to be more going on than previously. Much like Shifu, Dridex is adding regular expressions to target digital banking platform providers, which are used by numerous banks. By doing that, Dridex enables itself to steal credentials from users of any bank that deploys that same platform instead of having to include the URL of each. X-Force researchers saw at least 10 different regular expressions of this type in recent Dridex configurations.

The malware is scouting login credentials to a well-known background check vendor and one of the top recruitment sites in the U.S. It’s not hard to guess what those will be used for: Background checks give fraudsters tons of personal information on high-value targets. Recruitment sites are unknowingly abused by criminals for posting fake jobs, ultimately resulting in money mule recruitment in the target geography where the fraud is to be cashed out.

This is rather telling: Dridex’s operators don’t typically recruit money mules in the U.S. or via recruitment sites. Perhaps they are running low on local accounts to facilitate their nefarious activity in America, especially with GozNym being ever so active in the same country.

Served By Good Old Office Macros

So what’s the infection vector at this time for malware like Dridex, which is not only after consumers, but interested in infecting company employees? Unsurprisingly, the top choice continues to be poisoned Word macros delivered in a document file via email. This infection method was extremely popular among banking Trojan operators in 2015, when, according to Dark Reading, macro malware levels hit a six-year high. This year is likely to end on a similar trend.

Dridex has been leveraging poisoned Word macros since it emerged in 2014. Locky, a ransomware code distributed by the same botnets as Dridex, also leverages this infection method, Ars Technica reported.

SecurityWeek reported that, aside from Word macros, Dridex operators also conducted recent drive-by download campaigns to drop Locky infections using the Neutrino exploit kit and automate infections.

Back From Vacation

Why did Dridex-delivering spam campaigns appear to be rather sluggish during the summer? With banking malware operations of this type, it’s actually common to see a drop during the summer months. An actor on Twitter who calls himself Dridex Bot, purporting to be part of the Evil Corp gang, indicated the group was on vacation:

While this may be true, a gang like Dridex is more likely to slow down to retool before speeding right back up. According to X-Force researchers, Dridex released four builds in the past 30 days alone, including two code updates to its internal strings and its API obfuscation scheme. The malware’s configurations were modified, new infection campaigns prepared, additional sub-botnet sections created (No. 144, No. 1024) and new geographies targeted.

Furthermore, the Locky operation continues full steam ahead. According to Bleeping Computer, Dridex’s infrastructure is even being used to spread yet another ransomware piece: a new Trojan called Bart.

Busy Year for Dridex

It seems like it has been around forever, doesn’t it? But in reality, Dridex, in its current form, is only 2 years old. But it’s not so young in cybercrime terms, and the gang operating Dridex is having quite the busy year in 2016, dabbling in just about every kind of financial malice.

This year, Dridex started copying the Dyre Wolf attacks, attacking companies and robbing millions at a time. Dridex also launched its first ever redirection attacks in early 2016. In June, Dridex was linked with the SWIFT heists. Its Locky operation has been making the headlines far too often as well, mainly for terrorizing health care organizations across the globe with massive ransomware campaigns.

In fact, 69 percent of email attacks with malicious attachments in Q2 2016 contained Locky infections. Data from Shadowserver showed that Dridex infections per day (infected IPs) have also been on the rise, reaching 60 percent spikes in some parts of Europe.

What’s Next?

From information gathered by X-Force Research on Dridex activities across the globe, it is evident Dridex’s botnet operators are a multifaceted group, very likely connected with additional crime factions that use the same resources to commit cybercrime.

Is Dridex going away any time soon? This botnet appears to be more resilient than most. Dridex almost underwent a full takedown in 2015 following the arrest of one of the alleged botnet administrators. Alas, the botnet managed to escape this attempt and continue its operations.

In June, SecurityWeek reported that authorities attempted to disable Dridex by disrupting the Necurs botnet. That, too, was insufficient to halt the operations of Dridex and its branched ransomware arm. Necurs bounced back within a mere two weeks and got right back to the business of disseminating Dridex and Locky variants.

A Formidable Foe

Is this crime group rolling in illicit profits? Considering its resilience, size and all the connected parts of its operation, Dridex is likely the top cybercrime conglomerate of the decade. Researchers estimated that operators of the Dridex and Locky duo are netting between $100,000 and $200,000 per day, not including the millions they must have put away after their alleged part in SWIFT-related attacks.

If Dridex was indeed responsible for the SWIFT attacks, it is operating on the level of a billion-dollar crime ring. This makes Dridex a formidable foe for law enforcement.

Security professionals can deploy antifraud solution suites that evolve to mitigate the risks associated with Dridex. Researchers and analysts can also look up and share threat intelligence on Dridex activity, M.O. and indicators of compromise on the X-Force Exchange.

Recent Dridex MD5

  • fa6781ced155213d7a7535bbe109cf04
  • f5fe906f801d99fafa8a9e0584a37008
  • 7752eaeac2c3a37bba3564fbab0233fc
  • f8fd038db826a1e1c28d384cdc61a82d

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…