Banking malware has proven to be quite the threat for many years now. Dridex is by far one of the most popular banking malware strains over the past few years, and it appears this threat is far from over. Despite being absent for nearly six months, security researchers discovered a slightly modified Dridex strain targeted UK financial institutions.
Dridex Is Back With A Vengeance
It was only a matter of time until the Dridex banking malware would make a grandiose return. Unfortunately for any financial institution in the United Kingdom, they are now all targeted by the most recent spear phishing campaign distributing the malware. What makes this new version of Dridex so annoying is how it can bypass Windows User Account Control. Up until now, that has never been possible, yet the Dridex developers successfully added this feature to their repertoire.
Flashpoint researchers discovered the new banking malware strain not too long ago, although the analyzed campaigns were rather small in scale. As is always the case with spear-phishing campaigns, the new distribution round focuses on emails contain macros in Word documents. In most cases, these documents are referred to as tax or electronic fax documentation. By using these seemingly innocent file references, the criminals increase their chance of success.
Unfortunately, these small-scale Dridex campaigns have proven to be successful, according to the researchers. Several thousands of systems have been compromised in the process, which does not bode well for the future of the UK banking sector. As soon as a bank system is infected, the User Account Control bypass allows Dridex to execute without prompting the user for permission.
As one would come to expect from crafty malware, Dridex will continue to run as a background process on the infected computer until it is removed. Doing so is not easy, though, as Windows will label Dridex and its associated functions as a “trusted application”. What is even more disconcerting is how up-to-date Windows systems remain vulnerable to this malware, and it is up to Microsoft to address the problem quickly.
For the time being, it appears Dridex has not changed its primary objective. The malware will continue to monitor for login and password credentials sued for financial services and platforms. It is not unlikely criminals will use this malware toe to establish remote connections to get deeper into the bank network over time.
Header image courtesy of Shutterstock