Dridex

Dridex is an updated variant of Cridex, a banking Trojan and worm. Like its predecessor, Dridex steals bank account information for the purpose of enabling fraudulent money transactions by using attacks with low-visibility symptoms. While multiple nations are under attack from Dridex's current campaign, United States-based PC users are at particularly high risk for infections. E-mail security protocols and the possession of good anti-malware solutions will provide the best protection from Dridex, and related high-level threats.

Compromising Your Finances with Careless E-mail Clicks

Dridex, a recent re-release in a string of banking Trojans that include Cridex, Feodo and Bugat, is using a slightly new distribution tactic to install itself onto vulnerable PCs. Whereas its ancestors have been seen using EXE file attachments, the Blackhole Exploit Kit and the Phoenix Exploit Kit, malware researchers have seen Dridex installed via Microsoft Word documents. Current vulnerabilities rely on the use of in-document macros, which, by default, Microsoft disables as a security measure. However, for PC users who enable this feature, opening these documents may infect their PCs with Dridex with no additional prompts.

Dridex's compromised documents distribute themselves through e-mail, similar to previous attacks that distributed executable installers. These messages are fraudulently identified as invoice transactions from various, reputable companies, such as Humber Merchants LTD (a plumbing and construction company). With Dridex's installation, victims should be aware of the following security risks, all of which also pertain to past versions of associated Trojans:

• Dridex may modify your browser's content or intercept its communications to confiscate bank account information, including user names or passwords.
• Dridex may exploit removable hard drives or local networks to infect other PCs.
• Dridex may conceal itself in the memory processes of unrelated applications. One sign of such a security risk is observing a spike in memory usage from a safe program or unusual behavior (such as a refusal to be terminated from Task Manager).
• Dridex also may communicate with remote servers, which might allow Dridex to install other threats or transfer off stolen data.

Saving Your Funds from an International Trojan

Dridex's last campaign, which began in mid-October of this year, has especially targeted the United States, but other regions, including the United Kingdom, Israel and Germany also are under attack to lesser degrees. Prior campaigns by associated banking Trojans have focused on different nations, with Germany being an especial favorite. However, in most cases, suspicious e-mail links and file attachments remained the primary distribution method.

In cases of e-mail-based threat transmission, malware experts urge all PC users to exercise reasonable caution about fraudulent e-mails disguised with references to real companies. Since opening file attachments is a well-known security risk, legitimate companies never will ask you to do so for the purpose of viewing invoices or other transaction data. Such e-mails should be deleted on sight, unopened. If a Dridex infection already has occurred, you should use anti-malware tools to delete Dridex, and avoid any unneeded contact with other machines that could risk spreading the infection.

Technical Details