What is Dridex and am I safe?
What is Dridex?
Dridex is the name given to a ‘newly’ discovered malware designed to eavesdrop on a victim’s computer and steal personal information. The information the malware is particularly intrerested in is online banking usernames and passwords.
Dridex was first spotted back in November 2014, although it has hit the headlines today (BBC News Dridex Story) as an international law enforcement operation has cracked down on its authors. The authors “Evil Corp” have been targeted by the National Crime Agency and the American FBI, with one arrest already reported in Cyprus (Andrey Ghinkul a 30 year old Moldovan).
How has Dridex spread?
Dridex is being spread using the well crafted emails. Once again the success of this malware is due to users opening a file attachment from a supposedly safe source which is then installing the malware on their machine. This is another great example of social engineering where a well designed phishing email has been used to trick users into opening a file thet are not expecting.
Below is an example of an infected email that one of our clients recently received (redacted to protect the source of course).
Dridex is not a worm, so once a user is infected it doesn’t send itself on to your entire adress book. Instead it’s recipients seem to be more actively targeted for initial infection.
A report from Fujitsu in September of this year recently indicated however the authors may been using an email database containing some 385 million email addresses.
How does Dridex infect a computer and work?
As you can see from the picture above there is an attachment to the email. This is an Excel format but Microsoft Word is also used. These files contain a macro (some code which runs when the file is opened). This macro then installs and then runs the virus.
This is good for a lot of users as Dridex has to be manually installed. A user has to actively click to open the file and run the macro. The issue is, many users do not realise the risk of doing so, after all the email can look very real! In newer versions of Microsoft Office macros are disabled by default but this can be bypassed by a user and many of us do not use the latest version.
Once installed Dridex is a fairly powerful piece of malware. It can upload and download other programs but it is mainly logging what a user is doing. Keylogging internet browsers (to capture your usernames and passwords) and taking screenshots of what you are doing to send back to the command and control servers (the bad guys).
So unoticed Dridex can capture logins for any service you use on your PC. Then send these back to HQ so they can login to make any change that you yourself could…such as withdraw cash or send some hate mail from your mail client. The National Crime Agency said today the up to £20m has been taken by Dridex in the UK.
Who has been targeted?
Dridex has been targeting small to medium business. Those businesses who maybe don’t invest that much on cyber security or do not realise they are at risk. Which is one of the many reasons we at SafeHack UK are trying to raise awareness to SMB’s. Larger businesses flagged these emails as they came in but many of the smaller victims did not, either down to poor user training or poorly implemented cyber securty controls.
Fortunately the botnet that was running Dridex was disrupted by a Dell team in late August after they received approval to hack the hackers. It is still certainly prident to check your bank statements carefully however if you have opened any emails you should not have recently (also contact us about our simulated phishing campaign to raise awareness!).
How to stay safe?
Like very many other malware attacks, Windows users need to ensure you have an up to date antivirus program. This is ALWAYS a recommendation and a good base point for security. Beyond that you need to be aware and vigilant to the emails that are being sent to you – as mentioned in an earlier blog post…If you are not expecting an email certainly do not open the attachment.