Story image

Dridex banking trojan targets Australian organisations

11 Apr 17

Proofpoint researchers have discovered a massive spike representing ‘millions of messages’ delivered by Dridex banking trojans that are targeting Australian organisations.

The Dridex trojan — and others like it — have been preying on victims in order to extract financial information such as banking details, credit card data and other logins. This information is then used to conduct fraudulent activities.

Kevin Epstein, Proofpoint’s VP of the Threat Operations Center, says Dridex is not a new trojan.

“Dridex quickly became one of the most notorious banking Trojans in 2015 when massive email campaigns began delivering the malware to millions of recipients. By the middle of 2016, Dridex was mostly being used in smaller attacks as the threat actors behind it turned to distributing Locky in even larger campaigns. Dridex never went away – the actors using it just changed tactics.”

Proofpoint describes two emails used to hide the trojan: One appearing to be from the Royal Australian Mint and the other from lowcostholidays.

Both emails contain double-zipped VB scripts, double-zipped executables or zipped RAR achives. When executed, the scripts downloaded either the Dridex trojan or “Quant Loader”, which then downloaded Dridex.

Another type contained macros to download the Dridex botnet.

He believes the attackers behind the malware trojans could be picking up steam again, particularly as the Trojan attacks have targeted Australia, the UK and France.

“We haven’t observed any malware campaigns of this size in 2017 – given a number of similarities to previous Locky and Dridex campaigns, it appears that these threat actors’ sending infrastructure is returning to full operation. It remains to be seen what that means for high-volume malware campaigns in the coming months.”

The company says organisations that use business accounts are particularly at risk from Trojans, as there could be millions of dollars worth of losses. Information security managers should be concerned when there’s so much at stake.

“While we have seen the pendulum swing this year towards smaller-scale attacks and campaigns, often with higher degrees of targeting and personalisation, the re-emergence of multi-million message campaigns suggests that organisations may now need to cope with a combination of strong social engineering, a wide range of malware, and high-volume spray-and-pray campaigns,” Epstein says.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.