The Dridex Threat: How to Block the Latest Malware Aimed at Banks

It sounds innocuous, like the name of a household cleaning product, but Dridex is the latest in a string of online banking malware programs with devastating capabilities.

Just like Feodo, Geodo and Cridex (from which it was derived), Dridex is a descendant of the malware known as Zeus, designed to help attackers steal users' banking credentials, then more personal information and, finally, their money.

Dridex uses an old-fashioned method of attack: macros embedded in Microsoft Word documents. Macros are electronic instructions that make computers launch into tasks, and they were a popular way to infect computers in the early 2000s but fell out of favor as Microsoft's patches got better and users became accustomed to disabling them.

The new malware has emerged at a time when U.S. consumers are already extremely vulnerable to online banking fraud. In the first nine months of 2014, 904 million records were compromised by data breaches, according to consulting firm Risk Based Security. One of the most famous examples is JPMorgan Chase's breach, first announced in July, that affected 76 million households and 7 million small businesses.

Dridex works like this: hackers send high-volume phishing attacks, sometimes spoofing the email domains of trusted companies. The emails contain attachments, typically Word documents embedded with malicious Visual Basic code, that appear to the unsuspecting user to be an invoice or an accounting document. Users click on the document and unleash the malware onto their computers, where it finds files or activity related to online banking and gleans online-banking usernames and passwords. Then, through HTML injection into the bank website or a fake pop-up window, the attackers get users to cough up additional personal data such as Social Security numbers.

"What's interesting about the attack is they do enough reconnaissance on the target to identify who's in an accounting role or conducting some sort of business with someone else that would involve the receipt and need for an invoice," said Tom Kellermann, who is the chief cybersecurity officer at Trend Micro. "They can bypass some of the traditional cybersecurity mechanisms out there by using this type of technique. As long as you've enabled macros, they can penetrate your computer and bypass security. Many people leave macros on because they enhance their computer experience and the functionality of the applications they use."

Direct data on Dridex-related theft is hard to come by because it is too new. But logic suggests the malware has been successful. Its predecessors have been around for close to four years and they have "been going through all these iterations," said Ryan Olson, intelligence director for Unit 42, a threat-intelligence research group at Palo Alto Networks. "It seems like the people behind it have probably been making money off this." (The name Unit 42 is a reference to Douglas Adams' The Hitchhikers' Guide to the Galaxy, in which 42 is the number from which "the meaning of life, the universe, and everything" could be derived.)

After a spike in October, researchers have seen a drop-off in Dridex lately. This could mean that spam filters and antimalware software have gotten better at detecting malicious emails and preventing them from getting into inboxes. "It's also possible that the attackers behind the delivery of the malware got more targeted about who they wanted to go after or the potential volume of email," Olson said.

The hackers also might be taking a rest. "Hackers have to take a break," Olson said. Literally. Once they have stolen a batch of online banking credentials, they have to do something with them relatively quickly, like sell them or use them to steal from the accounts. "You have to go do something if you want to make your money. Depending on how big a team you have, you might need to go in and reap what you've sown."

Defense Tactics

Spam filters and antivirus software can analyze attachments for signs of malicious properties. However, those are only as good as the signature the bank has available.

"There are spam filters that can block and tackle these attacks," Kellermann acknowledged. "However, as they continue to develop new variants of the code, which is what's going on in the cyber arms race, you're playing catch-up."

Email authentication technology can help prevent cybercriminals from spoofing a company's email addresses.

"Organizations should become very serious about the reality that their brand extends beyond what they can control, so to protect it, they need to implement things like DMARC, which is an email authentication standard for financial institutions so users and prospective users and customers don't fall prey to these types of attacks," Kellermann said.

But Rick Holland, principal analyst at Forrester Research, cautions about the limitations of DMARC.

"In theory, implementing authentication via DMARC could help with these challenges," he said. However, email authentication is not going to fix broken or unknown business processes. "A company shouldn't just implement email authentication without understanding how emails are sent out of their organization," he said.

Any third-party marketing groups must be included; otherwise legitimate emails will not be delivered to their recipients. "Email authentication implementations should be thought through thoroughly and done in phases to minimize disruption of legit emails," Holland said.

Olson cautions that even when a bank has DMARC in place, users must be able to recognize when something is not from their bank.

The best way to defend against Dridex, in the view of experts, is to deploy breach-detection software and disable macros. "Only with those two technical mechanisms can you really begin to deal with real attacks in today's environment, especially ones like this that use macros," Kellermann said.

Data-breach-detection software provides a "sandbox" or a protected environment in which customers can safely open the email and its attachment and observe what it does, without the risk of infecting the computer or network. Palo Alto and Trend Micro each offer one.

Employees and customers should disable macros. "Disabling macros was common for a while in Excel and Word because if we go back a decade, macro viruses composed of Visual Basic script inside Word documents were easily infecting computers," Olson said. "Some organizations may have steered away from that. You should keep them disabled by default."

Keeping up with security patches is also helpful in protecting against Dridex, as it is against other types of threats. "That's the most important basic hygiene users can do," Olson said.

Moreover, users should also be warned to never click, open or do anything with an email before reading the headers. "If the headers are a bunch of jibber-jabber, you need to steer clear," Kellermann said. "You need to remember the R-squared rule, which is the 'Reply to:' line needs to be the exact same thing as the return path. If they're not, someone's trying to impersonate someone you do business with and they're trying to hunt you. Don't click on it, don't download it, don't do a damn thing with it."

Banks should offer user education, Holland notes, acknowledging that "there are obviously limits on this approach." Working with law enforcement agencies to take down sites that are hosting this malware is also an option.

"Phishing/social engineering is a difficult problem to solve for internal company users and when it shifts to external customers it is even more difficult," Holland said. "You have so much less control."

For reprint and licensing requests for this article, click here.
Bank technology Fintech
MORE FROM AMERICAN BANKER