Kaspersky Lab has published the results of its more-than-year-long investigation into the activity of Lazarus – a notorious hacking group allegedly responsible for the theft of 81 million dollars from the Central Bank of Bangladesh in 2016.
Kaspersky Lab has compiled a report on the history and evolution of the Dridex banking Trojan – a six-year-old threat that has caused millions of dollars’ worth of damage, and which continues to adapt and attack successfully despite many attempts to stop it. The report includes a thorough technical examination of the most recent version of the malware – the 4th, which appeared in 2017.
Still armed and dangerous
According to the report, Dridex – which mainly targets customers of financial/banking institutions in Europe - has been owned and developed by the same people since its creation. This is very rare for malware. Dridex also stands apart from other malware in its continuous evolution and increasing sophistication, as well as its ability to escape justice by hiding its main command-and-control (C&C) servers behind proxying layers.
Older versions stop working as soon as new ones appear, and each improvement is another step forward in terms of development. For example, the Dridex developers continue to implement new techniques for evading the User Account Control (UAC) system – thereby enabling the malware to run on Windows systems.
In the early months of 2017, Dridex activity was spotted in several European countries, with the UK accounting for nearly 60% of all detections, followed by Germany and France. The malware never works in Russia.
The report reviews the theory that the authors of Dridex are the same as the people behind Gameover Zeus, a (now defunct) offshoot of the main Zeus malware family that was specifically designed to steal victims’ financial credentials and use them for fraudulent wire transfers. Both have used the same malware in their web injection tools. This could, however be the result of code being leaked or stolen.
Why does this matter to business and consumers?
The Dridex banking Trojan first appeared in 2011 and has become a major financial cyber-threat. In 2015, the damage done by the Trojan was estimated at over $40 million – and by now the cost is estimated to run into hundreds of millions of dollars. There have been numerous unsuccessful attempts to block the Trojan’s activity but it remains active. It is therefore vital that financial services and banking organisations understand the current nature of the threat, as well as its evolution, so they can better defend themselves and their customers.
You can read the full report on Securelist.com
Kaspersky Lab advice: for business
- Have an effective fraud prevention solution in place, so that you can quickly and accurately spot unauthorised use of customer accounts and irregular financial activity.
- Inform and educate customers about essential cyber-security practices and the kind of emails, attachments and requests they would never receive from you.
- Consider investing in threat intelligence so that you can understand the rapidly evolving and emerging threat landscape and can help your organisation and customers to prepare. Find out more at email@example.com.
Kaspersky Lab advice: for consumers using online banking services
- Don’t open, and delete, any emails with suspicious-looking attachments, from people you don’t know, or which you are not expecting.
- Don’t click on suspicious looking links in emails.
- If the email appears to come from your bank or other trusted organisation, check with them first.
- Visit only websites you trust.
- Install a robust security solution – and implement all updates.
- Implement multi-factor authentication.
- Don’t enable Macros.
Articles related to Virus News
Learn more >
Kaspersky Lab experts reconstruct an ATMitch case – and discover a mysterious way to cash out with ATMs
Learn more >
No More Ransom initiative adds 15 new decryption tools as record number of partners join global initiative
Nine months after the launch of the No More Ransom (NMR) project, more law enforcement and private partners have joined the initiative, allowing more victims of ransomware to get their files back without paying the criminals.
Learn more >