Dridex, a relatively new and improved version of the infamous Cridex/Feodo banking Trojan, is being widely disseminated via email spam campaigns.
First spotted in July 2014, Dridex is mostly aimed at bank customers in the US, UK, Europe, Canada and Australia. Depending on the campaign, it occasionally targets more some that others, but the contents of its configuration file show that it’s definitely concentrating on bank customers in so-called First World countries.
Initially delivered in the form of executable attachments, the malware now comes in the guise of a Word document.
The delivery vehicle is usually an email supposedly sent by a legitimate company, ostensibly delivering invoices, accounting or financial documents in an attached .doc file.
But what the recipient can’t tell by simply looking at it is that the document also carries malicious macro code that triggers the download of the Dridex malware. And, in case the potential victim has disabled macros, he or she will be instructed to enable them in order to see the contents of the document.
Once executed on the target computer, the malware adds registry entries to enable its automatic execution. It monitors all actions taken via the Firefox, Chrome and Internet Explorer browsers, and takes screenshots, grabs the content inputed in online forms, and performs HTML injections (presents fake forms requesting for additional information).
This last capability is an improvement on Cridex. Another difference between the two is that Cridex is usually spread with the help of exploit kits.
Another thing that its good to know is that Dridex is not only after banking credentials, but also after Google, AOL, Microsoft Live, and Yahoo login credentials as well.
“Macro-based attacks were popular in the early 2000s but they appear to be experiencing a revival these days,” Trend Micro Threat Response Engineer Rhena Inocencio notes, and adds: “For macro-based attacks, it’s best to make sure to enable the macro security features in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings.