On December 5, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions against Evil Corp, a Russian cybercriminal organization that is known for distributing the Dridex malware. Dridex is a banking trojan that has been used to target financial institutions across the globe and has resulted in more than $100 million in theft. The same day, the Department of Justice announced the unsealing of criminal charges against two Russian individuals associated with Evil Corp for their roles in a series of hacking and bank fraud offenses involving Dridex, also known as ‘Bugat’ malware. In coordination with these efforts, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and Financial Sector Cyber Information Group (CIG) have released a report to inform the financial sector about the threat of Dridex, including a series of recommended mitigation strategies and a list of previously unreported indicators of compromise.
Dridex Malware
Dridex is a well-known banking trojan that has frequently been used for the theft of online banking credentials since it first became a popular hacking tool in 2014. Hackers generally target victims through phishing e-mail campaigns, using various social engineering techniques to encourage recipients to click on a malicious link or open an attachment. The attachment then either contains the malware itself or hidden macros that once activated, will download the Dridex malware. Dridex has multiple variants and methods of execution, which have evolved over the years. Generally, the modules used to operate the malware are able to capture screenshots, act as a virtual machine, or add the victim’s machine to a botnet.
According to Treasury’s report, once the Dridex is activated, “The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.” Once the attackers have obtained a victim’s login information, they can use it for fraudulent activities such as facilitating wire transfers or opening new accounts. Attackers also frequently deploy ransomware, such as Locky, as part of the same attack.
Mitigation Tactics Against Dridex
As part of the Dridex report, in addition to a set of indicators associated with the malware, Treasury and CISA have released a series of recommendations for steps that all organizations can take to better protect themselves against infection. For example, ensuring that systems are set by default to prevent the execution of macros can decrease the likelihood of a malicious attachment successfully downloading Dridex onto a victim’s machine. Other recommendations include educating employees on the appearance of phishing emails, updating intrusion detection systems to include the latest Dridex variants, and regularly backing up data.
In addition, the Dridex report also includes a link to the NSA’s “Top Ten Cybersecurity Mitigation Strategies,” which are designed to offer a risk-based approach to countering a broad range of possible exploitation techniques. Such mitigation measures are particularly important heading into the holiday shopping season, which typically sees an increase in cybercrime and online scams. The mitigation steps include:
- Update and upgrade software immediately;
- Assign privileges and accounts based on risk exposure and necessity for business operations;
- Enforce signed software execution policies;
- Exercise a system recovery plan;
- Actively manage systems and configurations;
- Continuously hunt for network intrusions;
- Leverage modern hardware security features;
- Segregate networks using application-aware defenses;
- Integrate threat reputation services; and
- Transition to multi-factor authentication.