Endpoint Protection

DRIDEX is an online banking malware that steals personal information through HTML injections. This mainly targets customers of financial/banking institutions based in Europe. First spotted around November 2014, DRIDEX is considered to be the direct successor of online banking malware CRIDEX; it features new malicious routines as well as techniques to avoid detection.

Symantec classification for Cridex:

W32.Cridex

http://www.symantec.com/security_response/writeup.jsp?docid=2012-012103-0840-99

W32.Cridex is a worm that spreads by copying itself to mapped and removable drives. It also opens a back door and downloads potentially malicious files on to the compromised computer.

Trojan.Cridex

http://www.symantec.com/security_response/writeup.jsp?docid=2015-012314-0117-99

Trojan.Cridex is a Trojan horse that may add the compromised computer to a botnet and steal information.

Other Dridex samples are caught as Trojan Horse, Trojan.Gen and other more generic names. There is also coverage in place for 64-bit versions, heuristic signatures against Cridex, IPS, etc.  Those are quite effective.

As per VirusTotal, Dridex is detected by all antivirus softwares:

https://www.virustotal.com/en/file/de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773/analysis/1419394924/

https://www.virustotal.com/en/file/de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773/analysis/

For more on this and similar threats, please see:

The state of financial Trojans 2014

http://www.symantec.com//content/en/us/enterprise/media/security_response/whitepapers/the-state-of-financial-trojans-2014.pdf

How does DRIDEX arrive into users’ systems?

The attack works this way – the victim gets an email with a Microsoft Word or Excel document attached. The document includes a payload that downloads malware called 'Dridex', which is designed to target online banking information. The attacks lure the victims to open the attachment by using the names of legitimate companies located in the U.K. Some of the emails refer to an 'attached invoice' by stating it comes from a software company, online retailer or bank.

Once the user opens the attachment, Dridex malware is installed. Users must enable macros in order for the malicious documents to work, and the some of the documents contain instructions on how to do just that. 

Note here that the feature that allows macro code to run on Word files is disabled on default. The code will execute only when the feature is enabled.

What happens when users execute this threat on their systems?

Once installed and executed on an affected system, an attacker can perform the following actions: 

• Upload files
• Download files
• Execute files
• Monitor network traffic
• Browser screenshot taking
• Add the compromised computer to a botnet
• Communicate with other peer nodes through the peer-to-peer (P2P) protocol to retrieve configuration details
• Download and execute additional modules
• Download and execute additional files
• Inject itself into browser processes for Internet Explorer, Chrome, and Firefox in order to monitor communications and steal information.

How does this threat affect users?

DRIDEX affects users by stealing their personal information (online banking account credentials) through its many personal information theft/browser monitoring routines.

It can also violate their privacy, as the login credentials stolen may also lead to the user’s other online accounts, such as social media, being broken into and/or hijacked. The screenshots taken may also inadvertently expose more of the user’s personal information.

Why is this threat distinguished?

DRIDEX is distinguished as it is a banking malware that sports multiple information theft routines to steal online banking information – one of these routines being the ability to ‘inject’ malicious code into certain websites that the affected user is currently viewing.

The malicious code that is injected usually facilitates the information theft – i.e. instead of a login website sending the entered credentials to the organization, it sends the information to the cybercriminals responsible instead.

It is also notable for specifically targeting major online banking/financial institutions based in Europe.

What can users do to prevent these threats from affecting their computers? What should they do if they suspect infection?

Users can protect themselves by adhering to the following best practices:

• Delete any suspicious-looking emails you receive, especially if they sport links and/or attachments. Don’t even open them, just delete them. If they purport to come from legitimate organizations, verify with the organization in question first.
• Install an antimalware solution that also covers email in its protective scope. This should remove the chance of you accidentally opening malicious email/malicious attachments in the first place.
• If you suspect DRIDEX infection, immediately change your online banking account passwords using a different (and hopefully uninfected) system, and touch base with your bank to alert them for any fraudulent transactions taking place. Do the same for any account that you may have accessed using your infected system.

Researchers at Microsoft recently reported a spike in threats using macros during the month of December.  Specifically, Microsoft spotted two macro downloaders spreading through spam email campaigns: TrojanDownloader: W97M/Adnel and TrojanDownloader:O97M/Tarbir. The threats appear to be targeting Microsoft customers predominantly in the US and UK.

"Using macros in Microsoft Office can help increase productivity by automating some processes," according to the Microsoft Malware Protection Center. "However, malware authors have also exploited these capabilities. Since Microsoft set the default setting to "Disable all macros with notification", the number of macro-related malware threat has declined. More recently we have seen new threats emerging that include some form of social engineering to convince users to manually enable macros and allow the malicious code to run."