Built to harvest the banking credentials of victims, the virulent Dridex is now one of the most dangerous pieces of financial malware in circulation.
Tidal waves of spam are fuelling the growth of the Dridex Trojan, which has emerged as one of the most dangerous financial threats over the past year. The sheer size of the spam campaigns spreading Dridex (detected by Symantec as W32.Cridex) can sometimes overwhelm organizations hit by them.
Symantec analysis of recent Dridex spam campaigns found that they are operating on a vast scale, with millions of new emails being sent out on a daily basis. The attackers behind Dridex are disciplined and professional. They operate on a standard working week, continually refine the malware, and put significant effort into disguising their spam campaigns as legitimate emails.
As detailed in a new Symantec whitepaper published today, at least 145 Dridex spam campaigns were observed during one sample 10-week period. The average number of emails blocked by Symantec per campaign was 271,019, indicating that the total number of emails being sent every day runs to millions.
Almost three quarters (74 percent) of Dridex spam campaigns used real company names in the sender address and frequently in the email text. The vast majority of spam campaigns were disguised as financial emails, such as invoices, receipts, and orders. The spam was heavily focused on English speakers, with the majority of emails purporting to come from English-speaking companies.
Dridex is mainly used to steal banking credentials. The malware is configured to target the customers of nearly 300 different organizations in over 40 regions.
Dridex is heavily focused on customers of financial institutions in wealthy, English-speaking countries, with the majority of targeted organizations located in these countries. The attackers also prioritized other European nations, along with a range of Asia-Pacific regions.
The number of Dridex infections detected by Symantec rose during 2015. Between January and April, there were less than 2,000 infections per month. Infection numbers spiked considerably in the following months, hitting almost 16,000 in June before dropping and stabilizing at a rate of 3,000 to 5,000 per month in the final quarter.
Figure 1. Dridex infections detected during 2015
Dridex infections were detected in a wide range of regions during 2015. English-speaking countries, such as the US, UK, and Australia experienced high rates of infection. This was due to how the attackers configured the malware to attack the large number of banks in these regions, as well as the number of English-language spam campaigns spreading the Dridex Trojan. Western European countries, including France, Germany, Austria, and Switzerland also experienced high infection rates.
The level of activity surrounding Dridex indicates that a large cybercrime group is behind the malware. The US Department of Justice has said that the botnet is “run by criminals in Moldova and elsewhere.”
In October 2015, an international law enforcement operation saw one man charged alongside a coordinated effort to sinkhole thousands of compromised computers, cutting them off from the botnet’s control. It appears this may have only been a partial success as Dridex continues to propagate, indicating that many key elements of the operation are still functioning. The group is likely to continue to pose a serious threat during 2016.
A multi-layered defense strategy maximizes protection against aggressive threats such as Dridex.
The following Symantec and Norton products will help guard against infection:
- Using an email security solution should remove the chance of you accidentally opening malicious email and malicious attachments in the first place.
- Email-filtering services such as Symantec Email Security.cloud can help to filter out potential targeted attack emails before they can reach users.
- Symantec Messaging Gateway’s Disarm technology can also protect computers from this threat by removing the malicious content from the attached documents before they even reach the user.
Intrusion prevention system detections
- System Infected: Trojan.Cridex Activity
- System Infected: Trojan.Cridex Activity 2
- System Infected: Trojan.Cridex Activity 3
- System Infected: Trojan.Cridex Activity 5
- System Infected: Trojan.Cridex Activity 6
- System Infected: W32.Cridex Worm Activity 4
- System Infected: W32.Cridex Worm Activity 6
- System Infected: W32.Cridex Worm Activity 8
- System Infected: W64.Cridex Activity
- Web Attack: Cridex.B Activity
Tips for businesses and consumers
- Always keep your security software up to date to protect yourself against any new variants of this malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Exercise caution when conducting online banking sessions, in particular if the behavior or appearance of your bank’s website changes.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- If you suspect a Dridex infection, immediately change your online banking account passwords using an uninfected system and contact your bank to alert them to look for any potentially fraudulent transactions.
For more information and a detailed analysis of the Dridex threat, read our whitepaper: