The Dridex banking Trojan is heavily targeting the UK.
Following the publication of a heatmap which showed the interest in the UK, Peter Kruse, head of Danish security firm CSIS, said that the heavy targeting of the malware against UK businesses and users is unusual, but it is obvious that those behind this malware family have a special interest in consumers as well as companies located in the UK.
He said: “The primary purpose of Dridex is to harvest sensitive data and manipulate forms and content belonging to online banking. This way it lures the user to enter additional login information in order to circumvent certain security mechanisms. Dridex is especially interested in fat bank accounts.”
According to research by Proofpoint, Dridex is a well-known strain of malware that leverages macros in Microsoft Office to infect systems and often operates by arriving in spam emails, posing as a Word document.
If the user opens the document, a macro embedded in the document surreptitiously triggers a download of the Dridex banking malware, enabling it to first steal banking credentials and then attempt to generate fraudulent financial transactions.
Kruse said that Dridex is still being maintained and developed and even though it is rather well documented by malware researchers and anti-virus companies, it’s still very tough to provide static detection for this type of threat and even block the way it communicate with its command and control servers.
Kevin Epstein, VP of advanced security and governance at Proofpoint, told IT Security Guru that it has seen waves of malicious attacks and phishing campaigns targeting various geographic areas, including the UK, it confirmed the recent high Dridex activity
He said: “While it’s unclear if the current Dridex wave is actually higher in the UK or if the apparent geographic centrality is an artifact of the sinkhole locations used, Proofpoint can confirm the activity of Dridex and Dyre.
“The motives are the same: financial in nature, organised crime goes where the money is, and the UK has historically lagged the US in adoption of modern targeted attack protection technologies, instead relying on renewal of years-old anti-spam gateway contracts.
“The result is clear, phishing penetrates legacy systems, so attackers are more successful. Since Dyre is polymorphic, and delivered via longline phishing attacks, it’s like the flu; a vaccine against one variant won’t stop others.
Legacy signature-based email anti-spam systems won’t help. Organisations must proactively invest in modern targeted attack protection and threat response systems.”