Malware News Dridex Banking Trojan Now Targets Smaller Countries as Well

[Exterminator]

Recent versions of the Dridex banking trojan now target smaller countries that have not been previously targeted by Dridex or other trojans on a regular basis.

Banks in countries such as Estonia, Latvia, Lithuania, the Cayman Islands, Cyprus, Lebanon, and Liechtenstein have now joined similar financial institutions from classic Dridex targets such as the US, the UK, Canada, and Australia.

Dridex's resurgence comes after a three-month break during which the Dridex and Necurs botnets have been busy distributing mainly Locky ransomware.

Besides support for some smaller countries, a Forcepoint report has identified possible support for targeting crypto-currency wallets.

Dridex now focuses more on the enterprise banking sector
A recent IBM X-Force report also highlights the same discoveries made by the Forcepoint team, who also discovered a general shift in Dridex's mode of operation, moving from the consumer market to the enterprise sector.

Since the start of the year, Dridex has been adding support for financial portals, not necessarily consumer-end banking portals.

The list includes software platforms commonly found in financial institutions, used to manage money transfers and several other financial operations.

Dridex is going after bank employees, not just bank customers
The Dridex gang is taking a page from the Carberp manual and targeting the bank's employees instead of the bank's customers. This new focus also explains the smaller spam floods coming from the Dridex and Necurs botnets spreading the Dridex Loader, and the massive amounts of spam spreading the Locky ransomware instead.

The Dridex gang has shifted focus from spamming using a shotgun approach to targeted spamming, aiming only at a small number of targets.

According to IBM, recent Dridex configuration files contain filters that activate the trojan when certain financial or banking software is detected. This is different compared to past Dridex filters that activated based on a strict URL, and not a loose and generic pattern like it started doing recently.

New Dridex targets include background check apps and job portals
Some of the platforms it targets are deployed at companies that deal with treasury services, corporate banking, investment banking, offshore banking, ACH payments, payroll services, and wealth management.

Strangely enough, Dridex also contains filters in its configuration files that target apps for background checks and recruitment sites. The last two are a mystery, but IBM suspects these could be wealthy sources for extracting sensitive user data that could be used in various forms of fraud.

There is no general change in the way Dridex spreads, and if users avoid turning on macro support in their Office files, they should be safe in most situatio

ns.