Dridex Launches Dyre-Like Attacks in UK, Intensifies Focus on Business Accounts
IBM
X-Force researchers have been following new developments in the Dridex Trojan’s
attack methodologies. In their latest alert, researchers divulged a new modus
operandi launched by Evil Corp, the cybercrime group that owns and operates the
Dridex banking Trojan.
Dridex Learns From Dyre
Dridex
recently released a new malware build with some internal bug fixes. The new
version, v196769, which is v.3.161, was first detected on Jan. 6, 2016. The
release of the new build was immediately followed by an infection campaign that
used the Andromeda
botnet to deliver malware to would-be victims. Campaigns are mainly focused
on users in the U.K.
Recipients
who received Dridex spam got a Microsoft Office file attachment purporting to
be an invoice via email. The file contained poisoned macros that, once enabled,
launch the exploitation and infection process of the Dridex Trojan. The
resulting communications appear to be taking place with Dridex’s sub-botnet No.
220.
X-Force
researchers studied the attacks linked with the new Dridex infection campaigns
and learned that the malware’s operators have made considerable investments in
a new attack methodology. The new scheme is not entirely novel; it copies the
concept of the Dyre
Trojan’s redirection attack scheme. The difference between Dyre and Dridex
is the way in which the redirection takes place: Dyre redirects via a local
proxy, while Dridex redirects via local DNS poisoning.
What Are Redirection Attacks?
Read the
rest of this post here.
SC Mag coverage: http://www.scmagazine.com/researchers-spot-dridex-using-dns-attacks-to-trick-victims/article/466192/
SC Mag coverage: http://www.scmagazine.com/researchers-spot-dridex-using-dns-attacks-to-trick-victims/article/466192/
Comments
Post a Comment