Cybercriminals Changed Tactics and Started Using ‘Dridex’ to Steal Banking Credentials

According to researchers of Palo Alto Networks, cybercriminals using Dridex banking Trojan to steal sensitive information of Internet users have changed the way of distribution of malware.

Dridex which is the successor of Cridex/Feodo/Geodo trojans was first spotted in July 2014 and cybercriminals use this threat to collect information for fraudulent bank transactions.

Dridex was mostly distributed through executable files attached to spam emails till recently. However, researchers of Palo Alto Networks observed that cybercriminals have started distributing the threat with the help of macros placed inside Microsoft Word documents which look innocent.

The attackers attached complex programs written in Visual Basic for Applications (VBA) to macros in the document files. The macro is designed to download an executable file from one of the many URLs and run it on the infected system.

Researchers say that the malware is hosted on legitimate websites which have been hijacked by the attackers.

Palo Alto confirms that volume of Dridex attacks has reduced much as compared to July and August but the company has warned that latest attacks are still quite more.

Researchers of Palo Alto say that the latest Dridex campaign started on 21st October, 2014 and the actors of this are relying on electronic mails asserting to deliver an invoice from various brands including Humber Merchant's group.

It seems that US is the most targeted nation because more than 50% of the samples belong to recipients in this region although samples of tainted emails have been recorded in other global regions like Taiwan, United Kingdom, Canada, Netherlands, Belgium, Australia, Germany, Israel, Spain and Norway as well.

The moment the malevolent Word document runs, the script in it downloads the malware from a hijacked website and executes it on the system to add various Dridex variants into the tainted computer with all bearing the same purpose of embezzling credentials for online banking sites to enable cybercriminals to drain out the victim's account.

You can protect yourself against this series of Dridex attacks by disabling macros in Microsoft Word. Palo Alto suggested that Macro-based malware has been around well over a decade and most organizations should have this malware disabled by default and enabling macros only for trusted files.

» SPAMfighter News - 11/6/2014