Has Dridex been brushing up on its Latvian? Or perhaps its written Estonian skills? Maybe it’s preparing a long overseas stay requiring offshore banking accounts in the Cayman Islands? Recent Dridex configurations analyzed by IBM X-Force reveal that the new wave of Dridex attacks is resilient and more complex than your average malware campaign.

Following several quiet months, a spike in renewed activity suggests the gang operating Dridex is picking up speed with precision and planning.

Unlikely Targets

According to IBM X-Force Research, Dridex configurations from the past two months are replete with a hefty count of targets in some more common countries, such as the U.S., U.K., Canada and Australia. However, the Trojan is targeting some less charted territories as well, such as Lithuania, Latvia, Estonia, Lebanon and Ukraine, to name a few. This is quite uncommon for any banking Trojan.

Per its configuration files, Dridex currently targets over 20 Latvian banks, three banks in Estonia, three in Lithuania and one in Ukraine, among its other uncommon choices of late.

Figure 1. Dridex Configuration Geo Distribution; MD5: f5d2d004ac22b17fd48e28f85c9162bf. Source: IBM Trusteer)

Why would Dridex target just one bank in Ukraine, Lebanon or Lichtenstein? Perhaps the developers are moving money to and from these banks rather than stealing from them. Or maybe they start by testing one bank in a given region before developing more elaborate configurations.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Dridex Branches Out

In most cases, Dridex is after retail banking accounts (48 percent of targets), but next on its list are banking platforms and URLs leading to:

  • Business banking;
  • Treasury services;
  • Commercial banking;
  • Corporate banking;
  • Investment banking;
  • ACH payments and payroll services;
  • Offshore banking;
  • Private banking;
  • Wealth management; and
  • Background checks and recruitment sites.

There sure seems to be more going on than previously. Much like Shifu, Dridex is adding regular expressions to target digital banking platform providers, which are used by numerous banks. By doing that, Dridex enables itself to steal credentials from users of any bank that deploys that same platform instead of having to include the URL of each. X-Force researchers saw at least 10 different regular expressions of this type in recent Dridex configurations.

The malware is scouting login credentials to a well-known background check vendor and one of the top recruitment sites in the U.S. It’s not hard to guess what those will be used for: Background checks give fraudsters tons of personal information on high-value targets. Recruitment sites are unknowingly abused by criminals for posting fake jobs, ultimately resulting in money mule recruitment in the target geography where the fraud is to be cashed out.

This is rather telling: Dridex’s operators don’t typically recruit money mules in the U.S. or via recruitment sites. Perhaps they are running low on local accounts to facilitate their nefarious activity in America, especially with GozNym being ever so active in the same country.

Served By Good Old Office Macros

So what’s the infection vector at this time for malware like Dridex, which is not only after consumers, but interested in infecting company employees? Unsurprisingly, the top choice continues to be poisoned Word macros delivered in a document file via email. This infection method was extremely popular among banking Trojan operators in 2015, when, according to Dark Reading, macro malware levels hit a six-year high. This year is likely to end on a similar trend.

Dridex has been leveraging poisoned Word macros since it emerged in 2014. Locky, a ransomware code distributed by the same botnets as Dridex, also leverages this infection method, Ars Technica reported.

SecurityWeek reported that, aside from Word macros, Dridex operators also conducted recent drive-by download campaigns to drop Locky infections using the Neutrino exploit kit and automate infections.

Back From Vacation

Why did Dridex-delivering spam campaigns appear to be rather sluggish during the summer? With banking malware operations of this type, it’s actually common to see a drop during the summer months. An actor on Twitter who calls himself Dridex Bot, purporting to be part of the Evil Corp gang, indicated the group was on vacation:

While this may be true, a gang like Dridex is more likely to slow down to retool before speeding right back up. According to X-Force researchers, Dridex released four builds in the past 30 days alone, including two code updates to its internal strings and its API obfuscation scheme. The malware’s configurations were modified, new infection campaigns prepared, additional sub-botnet sections created (No. 144, No. 1024) and new geographies targeted.

Furthermore, the Locky operation continues full steam ahead. According to Bleeping Computer, Dridex’s infrastructure is even being used to spread yet another ransomware piece: a new Trojan called Bart.

Busy Year for Dridex

It seems like it has been around forever, doesn’t it? But in reality, Dridex, in its current form, is only 2 years old. But it’s not so young in cybercrime terms, and the gang operating Dridex is having quite the busy year in 2016, dabbling in just about every kind of financial malice.

This year, Dridex started copying the Dyre Wolf attacks, attacking companies and robbing millions at a time. Dridex also launched its first ever redirection attacks in early 2016. In June, Dridex was linked with the SWIFT heists. Its Locky operation has been making the headlines far too often as well, mainly for terrorizing health care organizations across the globe with massive ransomware campaigns.

In fact, 69 percent of email attacks with malicious attachments in Q2 2016 contained Locky infections. Data from Shadowserver showed that Dridex infections per day (infected IPs) have also been on the rise, reaching 60 percent spikes in some parts of Europe.

What’s Next?

From information gathered by X-Force Research on Dridex activities across the globe, it is evident Dridex’s botnet operators are a multifaceted group, very likely connected with additional crime factions that use the same resources to commit cybercrime.

Is Dridex going away any time soon? This botnet appears to be more resilient than most. Dridex almost underwent a full takedown in 2015 following the arrest of one of the alleged botnet administrators. Alas, the botnet managed to escape this attempt and continue its operations.

In June, SecurityWeek reported that authorities attempted to disable Dridex by disrupting the Necurs botnet. That, too, was insufficient to halt the operations of Dridex and its branched ransomware arm. Necurs bounced back within a mere two weeks and got right back to the business of disseminating Dridex and Locky variants.

A Formidable Foe

Is this crime group rolling in illicit profits? Considering its resilience, size and all the connected parts of its operation, Dridex is likely the top cybercrime conglomerate of the decade. Researchers estimated that operators of the Dridex and Locky duo are netting between $100,000 and $200,000 per day, not including the millions they must have put away after their alleged part in SWIFT-related attacks.

If Dridex was indeed responsible for the SWIFT attacks, it is operating on the level of a billion-dollar crime ring. This makes Dridex a formidable foe for law enforcement.

Security professionals can deploy antifraud solution suites that evolve to mitigate the risks associated with Dridex. Researchers and analysts can also look up and share threat intelligence on Dridex activity, M.O. and indicators of compromise on the X-Force Exchange.

Recent Dridex MD5

  • fa6781ced155213d7a7535bbe109cf04
  • f5fe906f801d99fafa8a9e0584a37008
  • 7752eaeac2c3a37bba3564fbab0233fc
  • f8fd038db826a1e1c28d384cdc61a82d

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…