Crypto-currency in the crosshairs as Dridex malware evolves to target Bitcoin


Dridex may have been displaced as the ‘King of Malware’ by Locky, but it hasn’t been sitting back and rotting. Far from it, as the emergence of a Bitcoin hunting variation that targets POS and financial services targets would suggest.

Six months ago, we were warning that the Nemucod downloader had accelerated Locky ransomware distribution. The spam campaigns pushing this were, it seemed, originating from the same botnet that had been responsible for the Dridex malware before it.

All that had actually happened was that the actors involved had, as far as we could determine at least, simply changed the delivery mechanism and the payload. As is often the case in the world of malware, it’s now all change again and we are back to where it started with Dridex.

Well, sort of. Locky would almost certainly win the ‘King of Malware’ award if such a thing existed and was given on the basis of market domination.

However, reports would seem to suggest that Dridex is once more up and running. This time, according to Proofpoint researchers, Dridex is going for a more targeted approach.

And that target, if the initial Dridex attachment campaigns are anything to go by, would look like being the double whammy of financial services and manufacturing.

Dridex is going for a targeted approach

These campaigns are nothing like the multiple-million spam attachment ones from earlier in the year. Instead it would appear that Dridex is being rolled out in the tens of thousands at most.

Indeed, Proofpoint notes that throughout July and August some Dridex campaigns were in single figures and rarely exceeded a couple of thousand messages. So these latest distribution rollouts are certainly a jump up in scale.

The how doesn’t really change much, with infected Microsoft Word document macros being the nature of the game. The targets, though, have changed: back end payment processing systems and point of sale would appear to be squarely in the crosshairs.

This is not a surprise. After all, these sectors are literally where the money is and monetization is the name of the cybercrime game. By focussing resources on the most profitable sectors, in a highly targeted manner, the potential profits are much larger.

The changing nature of the campaign is also mirrored by changes to the malware itself. A report from the Security Labs arm of transformative technology security consultancy Forcepoint suggests that Dridex is becoming a crypto-currency targeting Trojan.

monetization is the name of the cybercrime game

That Dridex would seem to be scanning infected systems for crypto-currency wallet identifiers, something pretty much no other banking Trojan does as far as we are aware, suggests it is building a database to support Bitcoin stealing in future campaigns.

Carl Leonard, principal security analyst at Forcepoint, says that “Dridex has expanded beyond the stealing of online banking credentials to include targeting back-end payment and point-of-sale software, online banking software, and a recently added list of crypto-currency wallet managers. The binary structure of the Dridex malware has been changed, hindering analysis, however, our security teams report that the most common delivery method of Dridex is still via the email attack vector.”

Meanwhile, the lead penetration tester at Redscan, Robert Page warns “Dridex is constantly evolving to continue its objective of collecting financial information whilst remaining undetected. Given the increased usage of crypto-currency, it’s not surprising it’s also attempting to gather this type of currency. It’s interesting the malware has improved to prevent analysis by security researchers. Although the anti-sandbox features have been reverse engineered by security researchers in this instance, most likely the malware will continue to improve in future.”

And Mark James, the well-known security specialist with ESET, points out that “Malware without a doubt is getting more and more sophisticated, its ongoing struggle with Anti-Virus and security vendors is forcing changes for it to stay current and successful. In the early days malware was fairly rigid in its duties and its ability to adapt, but now we often have a very sophisticated piece of code that not only evolves, but is able to adapt to current trends for better efficiency. The Dridex banking Trojan is doing exactly that, where previously its victims were POS and banking systems it is now acquiring crypto-currency targets to further its attack footprint. These digital currencies have been a common target lately with some huge breaches involving millions of dollars stolen.”

Finally, Jonathan Sander, VP of product strategy at Lieberman Software, tells us that “The Dridex Trojan being upgraded like enterprise software is no surprise in today’s professional cybercrime world. Cybercrime makes hundreds of billions in revenue for the bad guys. Some say it’s more profitable than the drug trade. Is it any wonder that organized crime has set up operations just as sophisticated as any enterprise software? Just like Microsoft is pushing updates to Windows 10, the bad guys are pushing their latest features in an attempt to increase their current cash flow and seek new revenue streams.”