Warnings were issued yesterday by the US Computer Emergency Readiness Team (CERT) and the UK National Crime Agency about a piece of malware called Dridex, which is used for stealing money from online bank accounts. The malware itself is not new; it first emerged in July 2014, and is considered the successor to a previous piece of malicious software called Cridex. Its prevalence declined following the arrest of Andrey Ghinkul in August this year, and there had been hopes that this would continue. Instead, there has been a resurgence of cases.
Bank accounts are compromised by waiting for the legitimate user to visit one, recording the usernames, passwords and other credentials used to gain access, then sending those credentials to someone waiting to use them to fraudulently withdraw money. The groups responsible for this type of criminal activity are often highly organised, so there could be different individuals responsible for writing the malware, distributing it to victims and collecting the results, performing the initial withdrawals, and then laundering the money so that it cannot be traced. Those near the end of this chain are generally more expendable than those near the beginning.
In this instance, the authorities believed that they had disrupted part of this chain by disabling the ‘botnet’ of Dridex-infected computers, and by arresting a suspected administrator of that botnet. According to US Attorney David J Hickton, they had “struck a blow to one of the most pernicious malware threats in the world”. However, the effect appears to have been short-lived.
The primary infection vector for Dridex has been through phishing campaigns, whereby apparently innocuous e-mails are sent to potential victims in the hope that they will open an infected attachment – typically a Microsoft Word or Excel document in this instance. The attachment then downloads the malware itself from the internet and installs it on the computer. Bank credentials are harvested and sent back to the attackers.
Nettitude have seen many such phishing attempts, including one using 22 different variants of a malicious word document that will download and install Dridex if opened. Because there are so many variants, these documents are not listed in public databases of malicious files; and because they do not themselves perform any directly malicious action, they are less likely to be detected by antivirus software. However they are certainly not benign, and represent one of the most prominent threats we have encountered recently.
Losses due to Dridex have been estimated at £20m in the UK, and at least $10m in the US. Whether this continues to escalate will depend on how successful the authorities are in their continuing efforts to shut down the network. One of the technical methods used to achieve this is to take control of domain names or other assets used by the perpetrators, and redirect them to a benign location. Unfortunately these assets can be replaced so long as the organisation behind them remains in existence.
If you have a substantial amount of money at stake, the best way to protect yourself against this and other types of malware is to use a dedicated machine for internet banking. Other useful precautions include:
- Bookmarking the bank website (to avoid typing errors)
- Not clicking on links or attachments in e-mails unless you are confident that you trust their authenticity
- Installing effective anti-virus protection, on operating systems where this is appropriate
- Ensuring that your operating system and web browser are up to date, with all relevant security patches applied
Larger organisations should monitor their networks for signs of malware activity, for example, by subscribing to the Nettitude Threat2Alert service.
To contact Nettitude’s editor, please email firstname.lastname@example.org.