Dridex Launches Dyre-Like Attacks in UK, Intensifies Focus on Business Accounts

IBM X-Force researchers have been following new developments in the Dridex Trojan’s attack methodologies. In their latest alert, researchers divulged a new modus operandi launched by Evil Corp, the cybercrime group that owns and operates the Dridex banking Trojan.

Dridex Learns From Dyre

Dridex recently released a new malware build with some internal bug fixes. The new version, v196769, which is v.3.161, was first detected on Jan. 6, 2016. The release of the new build was immediately followed by an infection campaign that used the Andromeda botnet to deliver malware to would-be victims. Campaigns are mainly focused on users in the U.K.

Recipients who received Dridex spam got a Microsoft Office file attachment purporting to be an invoice via email. The file contained poisoned macros that, once enabled, launch the exploitation and infection process of the Dridex Trojan. The resulting communications appear to be taking place with Dridex’s sub-botnet No. 220.

X-Force researchers studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. The new scheme is not entirely novel; it copies the concept of the Dyre Trojan’s redirection attack scheme. The difference between Dyre and Dridex is the way in which the redirection takes place: Dyre redirects via a local proxy, while Dridex redirects via local DNS poisoning.

What Are Redirection Attacks?

Read the rest of this post here.


SC Mag coverage: http://www.scmagazine.com/researchers-spot-dridex-using-dns-attacks-to-trick-victims/article/466192/