Over half of the infections have been recorded in the US

Oct 27, 2014 23:57 GMT  ·  By

A change in the distribution method for Dridex banking Trojan has been observed last week, as attackers rely on Microsoft Word documents with malicious macros in order to download the malware onto targeted computers.

Dridex is the latest evolutionary link of the Feodo/Bugat/Cridex Trojan that developed into Geodo. It preserves the info-stealing capabilities of its previous versions but changed the method used for compromising the computer, which was to send executable attachments via email.

Customers of banks in the US are prime targets

During the past week, security researchers at Palo Alto Networks noticed that the attackers resorted to macros in Word documents to funnel in the banking Trojan; macros are scripts with instructions designed to automate repetitive tasks.

Microsoft recognizes the potential of abusing macros, and has them disabled by default in the components of the Office suite, but they can be enabled by the user at any time to increase productivity.

According to the researchers, the Dridex campaign began on October 21, the actors behind it relying on emails claiming to deliver an invoice document from different brands, including Humber Merchant’s group.

It appears that the most targeted country is the US, more than half of the samples being directed to recipients in this area, although samples of the malicious emails have been recorded in other regions of the globe: United Kingdom, Taiwan, Netherlands, Canada, Australia, Belgium, Israel, Germany, Norway and Spain.

As soon as the malicious Word document is run, the script included in it downloads the malware from a compromised website and executes it on the system; different variants of Dridex are added to the infected computer this way, all having the same purpose: stealing credentials for online banking websites in order to allow cybercriminals to empty the victim’s accounts.

A good defense is to have macros disabled in Microsoft Word

An analysis at the beginning of September from Abuse.ch shows that unlike its Feodo predecessor, who targeted mainly financial institutions in Germany, Dridex changed focus to banks in the US, UK and Switzerland.

Abuse.ch operates the Feodo Tracker, a service dedicated to keeping an eye on the command and control (C&C) servers used by the actors behind the malware campaign. Out of 93 tracked machines for Dridex communication, the service shows that at the moment there are 12 servers online, four of them being located in Russia.

Protecting against the Dridex banking Trojan can be done by disabling the macros feature in Microsoft Word, or in a different component of the Office suite, if the document is aimed for that program.