Kaspersky Lab has compiled a report on the history and evolution of the Dridex banking Trojan – a six-year-old threat that has caused millions of dollars’ worth of damage, and which continues to adapt and attack successfully despite many attempts to stop it. The report includes a thorough technical examination of the most recent version of the malware – the 4th, which appeared in 2017.
Still armed and dangerous
According to the report, Dridex – which mainly targets customers of financial/banking institutions in Europe - has been owned and developed by the same people since its creation. This is very rare for malware. Dridex also stands apart from other malware in its continuous evolution and increasing sophistication, as well as its ability to escape justice by hiding its main command-and-control (C&C) servers behind proxying layers.
Older versions stop working as soon as new ones appear, and each improvement is another step forward in terms of development. For example, the Dridex developers continue to implement new techniques for evading the User Account Control (UAC) system – thereby enabling the malware to run on Windows systems.
In the early months of 2017, Dridex activity was spotted in several European countries, with the UK accounting for nearly 60% of all detections, followed by Germany and France. The malware never works in Russia.
The report reviews the theory that the authors of Dridex are the same as the people behind Gameover Zeus, a (now defunct) offshoot of the main Zeus malware family that was specifically designed to steal victims’ financial credentials and use them for fraudulent wire transfers. Both have used the same malware in their web injection tools. This could, however be the result of code being leaked or stolen.
Why does this matter to business and consumers?
The Dridex banking Trojan first appeared in 2011 and has become a major financial cyber-threat. In 2015, the damage done by the Trojan was estimated at over $40 million – and by now the cost is estimated to run into hundreds of millions of dollars. There have been numerous unsuccessful attempts to block the Trojan’s activity but it remains active. It is therefore vital that financial services and banking organisations understand the current nature of the threat, as well as its evolution, so they can better defend themselves and their customers.
You can read the full report on Securelist.com
Kaspersky Lab advice: for business
- Have an effective fraud prevention solution in place, so that you can quickly and accurately spot unauthorised use of customer accounts and irregular financial activity.
- Inform and educate customers about essential cyber-security practices and the kind of emails, attachments and requests they would never receive from you.
- Consider investing in threat intelligence so that you can understand the rapidly evolving and emerging threat landscape and can help your organisation and customers to prepare. Find out more at firstname.lastname@example.org.
Kaspersky Lab advice: for consumers using online banking services
- Don’t open, and delete, any emails with suspicious-looking attachments, from people you don’t know, or which you are not expecting.
- Don’t click on suspicious looking links in emails.
- If the email appears to come from your bank or other trusted organisation, check with them first.
- Visit only websites you trust.
- Install a robust security solution – and implement all updates.
- Implement multi-factor authentication.
- Don’t enable Macros.