Dridex – forever changing, eternally a problem


Trevor Reschke Head of Threat Intelligence

This week saw Trusted Knight in the news talking about Dridex as Forcepoint researchers spotted the seemingly un-killable banker Trojan being tailored by criminals using compromised FTP sites as a launchpad for attacks.


A piece of malware with an unfortunately strong pedigree


The threat is a testament to the longevity and flexibility of the modern malware platform. Why platform? To give the answer some context, we need to dig into the history of this piece of malicious software. Dridex was first spotted in 2014, but is actually a variant of Cridex from 2011, which in itself is thought to have originated from Zeus, the grand-daddy of banker malware first spotted in the wild over ten years ago.

Zeus eventually became a victim of its own success. It took a battering from coordinated law enforcement campaigns, the supposed retirement of the original creator and a source code leak. Cridex similarly sputtered to a halt, passing the torch on to a modified version of itself called Dridex around the middle of 2014.

From here the malware has gone from strength to strength. Despite its age, it is still a big problem today for security teams and consumers, given relevance by the flexibility of its underlying software. In the cybercriminal underground, the ability to take a core piece of malware and improve upon it using the wisdom of the crowds effectively means it is in a never ending agile development cycle. This borrows heavily from an approach used by big software companies, an endless rotation of developers continually working on separate improvements. However, this ‘team’ has no official affiliation, hides behind VPNs uses bulletproof hosting or compromised FTPs and discusses dev milestones not on Slack but on underground forums. It has even been a part of inside jobs on banks.


The result?


The end result is a piece of malware that is ruthlessly effective at stealing banking details by stealing logins and passwords, and injecting malicious code. It has largely eclipsed Zeus in terms of variants – continually cycling its appearance, morphing and making it very hard for traditional endpoint protection to spot. Users who don’t update their home protection frequently are particularly vulnerable. Currently extant variants also have stronger disruption-resistant command and control mechanisms that use SSL, improved user access control and an array of bypass techniques, rendering countermeasures mostly useless.

All this leaves bank users out of pocket, gives security vendors a headache and leaves security teams at banks with a migraine. Estimations of stolen funds range into the billions, however as is often the case with such campaigns, it is hard to count money siphoned into criminal bank accounts. Banks in Western Europe have been especially hard hit.


The resolution


Aside from switching off the Internet and forcing people to bank in brick and mortar branches, a comprehensive solution is difficult. Regulation and coordinated law enforcement can make a dent from a macro perspective, but these take time and are an endless game of whack-a-mole.

This leaves technology to pick up the problem. For everyday online banking users, unfortunately people assume the antivirus they have on their laptop is invincible. Unfortunately, endpoint protection is increasingly ineffective against Dridex, even though people can be afforded some protection from older recognized variants by making sure their AV or anti-malware is up to date. In addition, as the Trojan is delivered through spam campaigns and uses Microsoft Office macros, the usual advice applies to being aware of clicking on unknown attachments.

The big question lies with banks. Unwittingly thrust into a position of caring for their customers’ home security, they need to evolve the way they think about the problem. If endpoint protection cannot block malware on devices and is leading to billions of dollars disappearing, the obvious solution is to not rely on it, rather focusing on protecting the transaction stack when a user interacts with a bank’s digital property, blocking Dridex from participating in any part of the transaction communication. As we have pointed out before, only by cutting off the malware herder from its malicious flock, can financial services organizations be assured that information is safe.