Dridex Trojan targets UK banks, avoids two factor authentication checks

The Trojan is now part of a new operation focused on compromising UK banking systems.
Written by Charlie Osborne, Contributing Writer

Researchers from IBM have revealed new developments in the use of the data-stealing Dridex Trojan in targeting UK banks.

IBM X-Force revealed on Tuesday that the cybercrime group known as Evil Corp, creators and controllers of the Dridex Trojan, has recently turned its attention to bank accounts owned by wealthy UK residents.

The latest version of the Trojan, v.3.161, was first detected on Jan 6, 2016. The malware is believed to be responsible for stealing up to £20 million from UK accounts over the past several years.

The Dridex Trojan spreads through email phishing campaigns and includes features such as the ability to spy on victim PCs, with the overall aim of stealing credentials which can be used to access bank accounts and cash reserves.

Despite arrests made in 2015 by the UK's National Crime Agency (NCA) and FBI of those believed to be part of Evil Corp, it appears Dridex remains a threat to UK banking customers.

According to IBM, the latest malware build was immediately followed by an infection campaign which used the Andromeda botnet to deliver malware payloads to potential victims.

Evil Corp's latest campaign involves would-be victims being sent a phishing email with a Microsoft attachment purporting to be an invoice. The file contains malicious macros that, if downloaded, will launch the Dridex Trojan and connect the compromised PC to a botnet.

Should a victim then try to visit their online banking service, they will be unwittingly redirected to a malicious domain controlled by the group which mimics the legitimate service. If a victim believes the fake, replica website to be real, then any account details they input will be harvested and sent to Evil Corp for use in siphoning off cash.

There is an interesting development which we have recently seen in a phishing attack against LastPass services -- the circumvention of two-factor authentication. 2FA involves the use of a code which is sent to your mobile device when you attempt to access a Web service in the name of improved security.

However, the makers of Dridex have updated the malware and campaign setup to avoid these issues when accessing accounts. As a victim visits a malicious domain and inputs their details, they will also be asked to provide 2FA codes, which are sent to Evil Corp's command and control (C&C) server, which are then checked for validity against the bank's genuine website in real-time.

If these details are valid, victims have given the keys to their financial kingdom over to the cyberattackers without realizing it.

"The fraudsters initiate the illicit transaction while the victim is being delayed by the social engineering injections on the fake site," IBM says. "If the fraudsters lack any details or face additional challenges on the bank's website, they use more injections to solicit the victim's assistance. In cases of successful information harvesting, the money is moved from the victim's account to a mule account."


IBM researchers say up to 13 UK banks have been targeted in the new campaign -- and both business accounts and high-value customers are of particular interest. Good news for the average consumer who is less likely to be targeted, but not for UK businesses dealing with a higher cash flow.

The firm says Dridex remains one of the top malware threats worldwide.

Last week, a new phishing campaign targeting LastPass file vaults was exposed. An open API and a logout cross-site request forgery (CSRF) flaw was used to fool users into believing their LastPass sessions had expired, leading them to input their details into a malicious domain.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards