Dridex’s newest campaign steals credit card information using an Automatic Transfer System (ATS) mechanism. The malware is capable of compromising users’ credentials to hijack an end user session to transfer money directly to fraudulent accounts. Just when you thought Dridex was dead; it rises out of the ashes with a new command and control infrastructure and a new group of cybercriminals running the exploit.
What is an ATS?
Return of Dridex
A Spanish company called Buguroo was able to exploit a weakness in the Command & Control (C&C) infrastructure to gain insight into how the malware is being spread. The new analysis of the Dridex command and control panel and attack mechanism revealed the malware is being used in a wider range of malicious campaigns and may be under the control of an entirely new set of cybercriminals. It was believed that the Dridex operation was broken up in October 2015 by US and UK authorities after the arrest of a Moldovan national in connection with it, immediately following a collaborative effort between law enforcement and private companies. In less than a month, a Dridex resurgence was noticed by several security researchers.
Dridex Upgraded to Steal Credit Card Info
“What we discovered is that the Dridex malware is now being used for banking and credit card theft, and the C&C had an exploitable weakness that is out of character with the level of skill in the rest of the Dridex programming,” says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of Buguroo. “This is conjecture, but based on our analysis, the implication is that after October’s takedown, someone new seems to be developing Dridex versions.”
“At that rate, ransomware is on pace to be a $1 billion a year crime this year.” - FBI
“The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts,” says Ferrezuelo.
Dridex, known for stealing banking information, is now being used to steal credit card information via an Automatic Transfer System and has been found to distribute the Locky ransomware payload.
“Also, we found that victims are being targeted from companies all around the world, including Latin America and Africa,” he says. “This is quite new, as the first versions of Dridex were focused on English-speaking countries like Australia, the UK, and the U.S., mainly.”
Buguroo found that Dridex had compromised systems in over 100 countries and collected credit card information from 900 organizations in 10 weeks. There may be as many as 100 million credit cards compromised.
Exploit Kits Make Hacking Easy
This iteration of Dridex may be new but what isn’t new is the fact that banking Trojans and ransomware continues to evolve and become more malicious as time goes on. Also, more and more cybercriminals are purchasing these attacks as exploit kits, so the number of attacks and successful ransoms continue to rise. Cybercriminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to pay money to decrypt data on their computer servers.
“At that rate, ransomware is on pace to be a $1 billion a year crime this year” according to an unnamed FBI agent interviewed by CNN. The number "is quite high" because a few people "reported large losses." The agency also said the losses could be larger than previously reported because other costs for the extortions are not yet factored in. Also, many companies choose not to report paying the ransom, so those payments are not included.
How to Prevent a Breach
There are a number of things you can do today to prevent malicious software like banking Trojans and ransomware from entering your network.
Employee Education - Have frequent reviews with employees discussing the threat of phishing attempts and what to look for in emails to avoid getting compromised.
Run nightly backups - Backups won’t save you from all the hassles of banking Trojans but can be useful to restore data from a ransomware attack.
Advanced Endpoint Protection – Use to detect suspicious behavior that signature-based solutions miss.
Deploy WatchPoints: "WatchPoints" are files placed on your network to lure attackers who have breached your defenses. For example, one WatchPoint offered is a Microsoft Word document that alerts you when it is accessed. The idea is to give it a very attractive title like “Sensitive Passwords.docx” to tempt the cybercriminals. If the document is retrieved, you and the WatchPoint team automatically receive a notification.
Contact us to see how a simple WatchPoint sensor disguised as a Microsoft Word file works. When someone opens the document, you will get an email alert.
Other Articles You Will Enjoy!