May 25, 2017

The Dridex Banking Trojan: an ever-evolving threat

Kaspersky Lab has compiled a report on the history and evolution of the Dridex banking Trojan – a six-year-old threat that has caused millions of dollars’ worth of damage, and which continues to adapt and attack successfully despite many attempts to stop it.

Kaspersky Lab has compiled a report on the history and evolution of the Dridex banking Trojan – a six-year-old threat that has caused millions of dollars’ worth of damage, and which continues to adapt and attack successfully despite many attempts to stop it. The report includes a thorough technical examination of the most recent version of the malware – the 4th, which appeared in 2017.

Still armed and dangerous

According to the report, Dridex – which mainly targets customers of financial/banking institutions in Europe - has been owned and developed by the same people since its creation. This is very rare for malware. Dridex also stands apart from other malware in its continuous evolution and increasing sophistication, as well as its ability to escape justice by hiding its main command-and-control (C&C) servers behind proxying layers.

Older versions stop working as soon as new ones appear, and each improvement is another step forward in terms of development. For example, the Dridex developers continue to implement new techniques for evading the User Account Control (UAC) system – thereby enabling the malware to run on Windows systems.

In the early months of 2017, Dridex activity was spotted in several European countries, with the UK accounting for nearly 60% of all detections, followed by Germany and France. The malware never works in Russia.

The report reviews the theory that the authors of Dridex are the same as the people behind Gameover Zeus, a (now defunct) offshoot of the main Zeus malware family that was specifically designed to steal victims’ financial credentials and use them for fraudulent wire transfers. Both have used the same malware in their web injection tools. This could, however be the result of code being leaked or stolen.

Why does this matter to business and consumers?

The Dridex banking Trojan first appeared in 2011 and has become a major financial cyber-threat. In 2015, the damage done by the Trojan was estimated at over $40 million – and by now the cost is estimated to run into hundreds of millions of dollars. There have been numerous unsuccessful attempts to block the Trojan’s activity but it remains active. It is therefore vital that financial services and banking organisations understand the current nature of the threat, as well as its evolution, so they can better defend themselves and their customers.

You can read the full report on

Kaspersky Lab advice: for business

  • Have an effective fraud prevention solution in place, so that you can quickly and accurately spot unauthorised use of customer accounts and irregular financial activity.
  • Inform and educate customers about essential cyber-security practices and the kind of emails, attachments and requests they would never receive from you.
  • Consider investing in threat intelligence so that you can understand the rapidly evolving and emerging threat landscape and can help your organisation and customers to prepare. Find out more at

Kaspersky Lab advice: for consumers using online banking services

  • Don’t open, and delete, any emails with suspicious-looking attachments, from people you don’t know, or which you are not expecting.
  • Don’t click on suspicious looking links in emails.
  • If the email appears to come from your bank or other trusted organisation, check with them first.
  • Visit only websites you trust.
  • Install a robust security solution – and implement all updates.
  • Implement multi-factor authentication.
  • Don’t enable Macros.

Articles related to Virus News

  • Android Ransomware: Four-fold Increase in Number of Users Attacked in One Year

    The number of users attacked by ransomware targeting Android-based devices has increased four-fold in just one year, hitting at least 136,000 users globally. A report on the ransomware threat landscape, conducted by Kaspersky Lab, also found that the majority of attacks are based on only four groups of malware. The report covers a full two-year period which, for reasons of comparison, has been divided into two parts of 12 months each: from April 2014 to March 2015, and April 2015 to March 2016. These particular timescales were chosen because they witnessed several significant changes in the mobile ransomware threat landscape.

  • Damage to Customer Trust and Corporate Reputation are Among the Most Harmful Consequences of DDoS Attacks

    The consequences of a Distributed Denial of Service (DDoS) attack extend far beyond financial considerations. These attacks damage a company’s relationship with its customers, according to the research from Kaspersky Lab and B2B International.

  • Kaspersky Lab Discovers Important Vulnerability in Popular Energy Equipment

    While performing a security assessment for one of its clients in the critical infrastructure sector, the Kaspersky Lab Security Services team discovered an important vulnerability. The CVE-2016-4785 vulnerability could allow an attacker to remotely obtain a limited amount of device memory content from relay protection equipment. The vulnerability was reported to Siemens, the equipment vendor, and has already been patched.