14 DAY TRIAL // The most recent wave of attacks on banking users with the Dridex banking trojan reveals that the malware's authors may have borrowed code from the Dyre banking malware, as IBM's X-Force security team reports.
Dyre and Dridex are the Internet's first- and third-ranked banking botnets and have operated until now using different techniques, often in different parts of the globe.
According to IBM, the company spotted a new Dridex version (v3.161) that was launched in attacks in the UK on January 6.
This version of Dridex was released via the infrastructure of the Andromeda botnet and was spread via fake invoice spam email that delivered weaponized Word documents. Users that downloaded and opened these files would be asked to enable Word's macro feature, but doing so would secretly download and install the Dridex trojan.
Dridex now employs redirection attacks instead of Web injections
What makes this version of Dridex similar to Dyre is the presence of so-called "redirection attacks." Previously, Dridex would use Web injection techniques to take over a bank's Web pages and steal the user's credentials, also hijacking operations when possible.
Dyre, on the other hand, used redirection attacks by setting up a local proxy. This proxy would sniff out HTTP requests and redirect the user to the attacker's server where a replica of the bank's website would be hosted.
The same technique is now also employed by Dridex, but it uses DNS poisoning instead of a local proxy. In DNS poisoning, the Dridex malware looks for locally cached DNS entries. DNS entries are files that store details tying a website to an IP address.
Dridex is altering these entries, and for banking websites, it is pointing users to fake IPs, where Dridex operators host bank website replicas, just like Dyre.
Dridex and Dyre may be sharing developers
These fake bank websites work as a man-in-the-middle by asking the user to enter their banking authentication details, and secretly sending the data to the real website to have it verified. Based on what the user is trying to do inside their banking account, these fake sites provide realistic replica pages but also log all the user's details or hijack banking transactions to mule accounts from where the money is quickly emptied.
IBM notes that the these replica websites are able to handle tokens, second passwords, replies to secret questions, and even two-factor authentication codes.
The researchers also observed that, in the first week, Dridex operators were only targeting two UK banks, but in the second week, the list was expanded to include 13 fully working replica websites.
"Dridex seems to be heavily inspired by the Dyre Trojan, and it is not impossible that the two groups share some key developers or management," says IBM's Limor Kessem. "It’s therefore possible that Dridex borrowed or bought the site replicas from the Dyre group and moved to the new attack method in the same geography where Dyre used it before."
Most of the replica websites are meant for enterprise users, where successful exploitation grants attackers access to larger profits than regular personal banking accounts.