LONDON -- A piece of banking malware spread by a group of Eastern European hackers has stolen at least $40 million from businesses in the U.S. and U.K. alone.
Known as Dridex, the malware was spread by a hacking group which calls itself Evil Corp and has infected thousands of computers around the world before stealing banking credentials to siphon off millions of dollars from victims' bank accounts.
What Is Dridex?
Dridex, also known as Bugat, is a strain of banking malware that uses specially crafted Microsoft Office documents to allow it to infect computers. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
The Dridex malware was first spotted in November 2014 and has evolved from another piece of malware known as Cridex, which itself is based on the Zeus malware. The Bugat malware dates back much futher to 2010. According to security firm Trustwave, the Dridex banking malware initially spread in late 2014 via a spam campaign that generated upwards of 15,000 emails each day. The attacks primarily focused on systems located in the U.K.
Why Is It In The News Now?
A joint effort by the FBI and the U.K.’s National Crime Agency (NCA) saw the arrest of one of the men responsible for operating the Dridex malware, 30-year-old Andrey Ghinkul, also known as Smilex, who was arrested in Cyprus in August. The NCA said the Dridex malware is responsible for theft from “global financial institutions and a variety of different payment systems” with losses in the U.K. alone estimated at $30 million. The FBI estimates losses in the U.S. to be at least $10 million.
To stop the network of infected computers -- known as a botnet -- from communicating with the criminals, the NCA and the FBI have been sinkholing the malware, which they say has rendered a large portion of the botnet harmless.
How Do Systems Get Infected With Dridex?
Dridex malware is spread using spam email messages which have been tailored to look legitimate and contain a Microsoft Office attachment -- typically a Word or Excel file -- that has been modified to allow the hackers infect the victim’s machine if the victim downloads the file.
The Office file contains macros -- a small embedded program -- that trigger the download of the main Dridex banking Trojan. This then sits on a victim's system until he/she logs on to online banking websites, when it captures username and passwords before sending them back to the criminals controlling the network.
Who Was Infected?
A report from Fujitsu suggests the authors of the malware are using a database of 385 million email addresses to send out the initial attacks, meaning this is certainly not a targeted attack. However Evil Corp was not simply trying to infect anyone, it was specifically targeting small to medium size businesses in order to steal significant amounts of money in a single go to limit the possibilty of capture.
According to the FBI, Ghinkul and his co-accused (who haven't been named yet) attempted steal $1 million from a school district in Pennsylvania in 2011 while it also tried to steal over $2 million from a Penneco Oil account in 2012.
Who Are Evil Corp?
Evil Corp are the group of cybercriminals who are thought to be behind the spread of the Dridex malware. According to the FBI's indictment against Ghinkul, they are based mainly in Moldova. Ghinkul, also known as Smilex, is so far the only named member of Evil Corp.
What Do The Experts Say?
Gavin Millard from Tenable Network Security says Dridex needs active human interaction to work:
“Unlike other malware or exploit kits that prey on vulnerabilities in browsers or plugins to automatically infect victims, Dridex requires user interaction to open files sent. The attack vector is usually a Word document or Excel spreadsheet with a macro to download and install malicious code. To reduce the risk of being infected by Dridex, users should never open unexpected files sent via email and disable macros in Microsoft Office from automatically running.”
Ken Westin from Tripwire says this indicates the sheer scale of global cybercrime:
“The sophistication and scale of the infection of Dridex, not to mention the amount of money made by the cybercriminals involved, shows that cybercrime is a big business. This should also serve as a warning to banks and consumers, as this is only the tip of the iceberg. Law enforcement and private industry are ramping up their defensive capabilities, but at the same time new tools and techniques are being developed that will build on Dridex and include more-sophisticated methods of evasion and infiltration of our systems."
Jens Monrad from FireEye says there is more to Dridex than simply stealing banking credentials:
"One thing that's a bit misleading is that while Dridex is responsible for stealing millions of pounds from bank accounts, the capabilities of Dridex are much more than just targeting bank accounts. Dridex is an information-stealing Trojan, meaning that not only is the victim in risk of losing money due to a compromised bank accounts, but victims, especially employees compromised with Dridex, are also putting their company at risk because Dridex can perform activities such as stealing credentials from applications, perform keystroke logging and also download further malicious payloads, such as backdoors."