Increased activity of Dridex
By Edgar Namoca on October 15, 2020
(By: Edgar Namoca on October 22, 2020)
Introduction
June 30, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) put out an advisory alert for a malware known as Dridex. Dridex is a banking malware which first appeared at the end of 2015, and the start of 2016 where it had its highest infection rates [3]. Recently, the financial service sectors have experienced increased Dridex malware attacks targeting private sector financial firms. Dridex targets employees of financial groups in hopes to gain access to company websites allowing them to create fake accounts or gain customer information [1]. Dridex also targets regular citizens aiming to gain banking account information to steal money. The threat actors behind Dridex has been linked to the Russian based hacker group Evil Corp [2]. This new alert that was put out by CISA was specifically to update the current indicators of a compromise and warn of the increase of activity.
Function
Dridex is a malware that will make its foothold using phishing emails. The phishing emails have varied widely over the years [1]. The most common way for this malware to be downloaded to your computer is from Microsoft document from phishing emails containing hidden or obfuscated macros [1]. Once the compromised document is opened and macros are enabled the macro will reach out to a File Transfer Protocol (FTP) server to download the Dridex malware. Microsoft prevents the execution of macros without user permission, but users will usually enable them due to social engineering or the curiosity to see the document. Once downloaded, an active Dridex has the capability to do many malicious actions. The main treat to financial activity is its ability to infiltrate and manipulate browser data [2]. Dridex can detect access to online banking applications and websites and inject additional malware to do keylogging to steal login information [3]. Dridex uses peer-to-peer networking to encrypt and transmit data that is captured [1]. Additionally, if deemed a high priority target Dridex can also download and activate a ransomware known as Locky causing additional damage to compromised computers [4].
Mitigation
Bellow are general mitigation techniques recommended in response to Dridex [1].
Ensure systems are set by default to prevent execution of macros
Inform and educate employees on the appearance of phishing emails.
Train and encourage employees to report phishing attempts
Update intrusion detection and prevention systems frequently to ensure the latest variants of malware are included.
Regularly backup data and ensure backed up data is protected from ransomware attacks
Keep applications and operating systems patched.
Enable and implement endpoint Protection on workstations.
Disable unnecessary services to reduce your attack surface
Implement appropriate access control lists.
Significance
Dridex is another malware that is using this current pandemic as an opportunity to have more successful attacks. Like any other malware that has had wide success in critical infrastructure, better employee training could have prevented harm from being done. During this time of the pandemic, many people are working from home or may be using a personal device to do work. Due to this urgency to work from home, cyber attack awareness training was not a priority for employers. Since working from home became the everyday normal there has been a surge in phishing attacks, reinforcing the importance of cyber security prevention and awareness training to be done with employees prior to commencing work from home.
References
[1]https://us-cert.cisa.gov/ncas/alerts/aa19-339a
[2]https://www.spambrella.com/what-is-dridex-malware/#:~:text=Dridex%20is%20an%20evolution%20of,located%20in%20the%20United%20Kingdom.
[3]https://www.bleepingcomputer.com/news/security/us-govt-alerts-financial-services-of-ongoing-dridex-malware-attacks/
[4]https://securelist.com/dridex-a-history-of-evolution/78531/