Dridex takes aim at Crypto-currency

Despite going quiet for most of 2016, Dridex appears to have spent that time working on itself, making a number of improvement and targeting crypto-currency wallets

Dridex is ‘being actively developed’, according to ForcePoint researchers
Dridex is ‘being actively developed’, according to ForcePoint researchers

Dridex is widening its view, according to ForcePoint researchers. In fact, the infamous banking Trojan has enlarged its scope to include crypto-currency wallets.

The Trojan has taken a beating in the malware market over 2016, largely being overtaken by Locky.  But as senior security researcher at Forcepoint wrote in his disclosing blogpost, “Dridex is still being actively developed”.

It's principle new development is that its appetite has grown. Upon analysis of the Trojan, researchers found two distinct lists of software that Dridex would target and that both had expanded considerably.

Carl Leonard, principal security analyst at Forcepoint, explained to SCMagazineUK.com: “Dridex has expanded beyond the stealing of online banking credentials to include targeting back-end payment and point-of-sale software, online banking software, and a recently added list of crypto-currency wallet managers.”

Forcepoint will continue to work with CERT-UK on the issue but Leonard further encourages users to be cautions when opening those links.

Robert Page, lead penetration tester at Redscan said it's not surprising that Dridex has now looked towards crypto-currency wallets, given the popularity of things like Bitcoin.

However, what is interesting is that “the malware has improved to prevent analysis by security researchers. Although the anti-sandbox features have been reverse engineered by security researchers in this instance, most likely the malware will continue to improve in future,” said Page.

Dridex's shadowy developers have also beefed up the Trojan in a number of other ways, too. Blacklisting computers, for example, has become ‘trivial', making it easier for the Trojan to hinder sandbox analysis.

Continuing in that vein of making the Trojan harder to analyse, Dridex's developers have employed more complex binary formats over its original XML.

The banking Trojan, which reeked so much havoc in its short life, was first spotted in November 2014. Favouring the bank accounts of European companies over individuals, UK losses from Dridex were supposed to be at least £20 million and global losses were said to be in the region of £100 million.

The supposed ringmaster was locked up last year in an international operation that included the US FBI, Europol and German, UK and Moldovan law enforcement. Smilex also known as Andrey Ghinkul, of Moldova was arrested in Cyprus last August and charged with nine counts of criminal conspiracy, unauthorised computer access with intent to defraud, damaging a computer, wire fraud and bank fraud.

Since then, Dridex has become quiet, its place taken by other pieces of malware.

The piece itself is not too complex. Dridex harvests banking credentials, so its masters can then use those credentials to access private bank accounts and make off with the loot within.

Using HTML injections, the trojan can insert malicious code into otherwise legitimate banking websites, affecting what the user sees. From there, the user enters their credentials thinking that they're merely logging into their banking portal. The information entered is then promptly delivered into the hands of Dridex's controllers, along with the victim's bank account.

It gets in, as so many do, via phishing emails loaded with what are commonly Word or Excel documents. Once the user opens the documents and follows the prompt to ‘turn on macros', the trap is sprung and the computer is infected.

All this has netted the authors of Dridex a nice sum, so why attempt to fix what's not broken? In such a fiercely competitive space as the malware market, developers will often seek to improve their offerings. We saw the same thing just the other day as the Sundown exploit kit was revealed to be stealing exploits from other exploit kits.

It not only has to compete with other malware developers, but their opposites, anti-virus providers and security teams. Mark James, security specialist at ESET, told SC, “Malware without a doubt is getting more and more sophisticated. It's ongoing struggle with anti-Virus and security vendors is forcing changes for it to stay current and successful.”

“The Dridex banking Trojan is doing exactly that, where previously its victims were POS and banking systems it is now acquiring crypto-currency targets to further its attack footprint. These digital currencies have been a common target lately with some huge breaches involving millions of dollars stolen.”

Jonathan Sander, vp of product strategy at Lieberman software told SC that this is only indicative of  larger, more profound trends within cyber-crime: “All this is the result in the shift from the lone wolf bad guy to the professional cyber-crime organisation. Many people picture a hooded man with Cheeto-stained fingers and a messy desk in a basement when they think of the online enemy. In truth, today the bad guys would fit right into the Dilbert cartoons. These are professionals developing software in offices with paychecks, benefits, and normal lives. It's their organised crime bosses that are really different."