As we wrote last month, a recent discovery of the Palo Alto Networks security researchers detected that a malware, aiming to steal bank credentials, information and certificates, used a long time ago, has been activated again. It is a modification of the Cridex Trojan, called Dridex, and is being installed on users’ machines when they open macro-enabled infected attachments from their e-mails.
Dridex Malware Targets Bank Accounts
The new Dridex version is trying to steal data when you log into your bank accounts by adding extra fields in the HTML code during the log-in process like your social security number for example. Banking information is the usual aim of Cridex and the new modification is targeted to it as well.
The difference is that Dridex is aiming to infect your machine at first place. It does that by being deeply hidden into macros of infected files, disguised as important documents like invoices, for example, which you might open out from your e-mail inbox thinking they are important. If macros are not enabled by default on your computer, you are being asked to do so when opening such harmful file. If they are enabled by default though the malware will install itself without users noticing it at all.
Dridex’ Outdated Macro-Technique
The macro-technique for cyber attacks had been used a decade ago but faded away when Microsoft strengthened their security protection by disabling them by default. Some hackers are trying to revive that practice though.
As said above most computers have macros disabled by default. However, if a user opens an infected file out of their inbox, it suggests them to allow opening macros on their machines. If doing so, Dridex malware starts downloading automatically.
“The move to macros could be seen as one way of ensuring a higher chance of successful attacks,” Rhena Inocencio, a Threat Response Engineer wrote in the TrendLabs Security Intelligence Blog today. “If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature.”
After being installed on a machine, the malware is being programmed to activate seeing the user entering an online bank account. The banks’ infected list is quite long – Bank of Scotland, Lloyds Bank, Barclays, Triodos Bank, Danske Bank, Santander, etc.
Message alerts regarding the malware came mainly from Vietnam, India, Taiwan, South Korea and China but the three top-countries known to be affected are Australia, United Kingdom and USA.
A Switzerland online security project, following the command and control servers of other malware targeted towards the banking system has included Dridex in their list now as well.
The best protection for users as of now though remains disabling the macros on their computers and not opening documents from not-trusted sources on their machines.