VPN Articles and News

Banking Trojan Dridex Aiming To Target Crypto Currency Wallets

By Paul Liu
Wednesday, June 7th, 2017

Dridex, one of the most high profile banking trojans of 2015; is rearing its ugly head once again. As per the information published by the security firm Forcepoint, the infamous malware is still being updated and what’s worse, it may soon start targeting crypto currency wallets. This is indeed a worrying development since it took the might of FBI, UK’s National Crime Agency as well as other security agencies to bring it down the last time.

Dridex, also called Bugat or Cridex, is a malware which specializes in stealing banking credentials from a user. The program spreads via email attachments containing Word or Excel files and it is actually a macro utilizing the functionalities available within MS Office. Once the user downloads and opens the infected attachment, the malware installs a keylogger and performs an injection attack. The program records all the activities until it gets banking information and starts to conduct fraudulent transactions soon thereafter. The attackers behind the malware managed to steal 10 million dollars from US users and 20 million pounds from UK users during the year 2015. The malware experienced a slowdown when Necurs botnet was brought down by the security agencies in October’ 2015 but there are signs that it would experience a resurgence in the near future.

The Forcepoint report states that Dridex is now planning to target Crypto Currency wallets stored on victims’ machines. The new version of the malware not only steals credentials from banking apps and portals, it also scans the system for popular crypto-currency wallets. The experts at Forcepoint believe that the trojan is actually building a database of popular wallet softwares and that this information would come in handy when Drivdex actually starts stealing bitcoins and other crypto currencies. Apart from popular crypto wallets like Coinbase, Breadwallet, Coinsbank and Bitcore the updated version of the malware also scans for many other types of apps that could be related to financial transactions.

In addition to scanning of crypto wallet softwares, Dridex has also incorporated many other changes to avoid detection and scrutiny. The new version of the trojan includes a blacklisting feature that is capable of blocking computers belonging to security companies or researchers. The feature makes use of the huge database of computer systems that the malware has collected over a period of time. This means the trojan won’t infect every computer where it lands via the email attachment; rather it would first scan system information of the computer with its existing database and weed out computer systems that are known to belong to security companies and independent experts. Moreover, the malware’s configuration file now gets transmitted in an encrypted format making its detection a lot more difficult.

It is clear that the creators of Dridex have massive resources at their disposal. While it is not yet clear whether the malware would target crypto currencies at all, recent changes definitely point in that direction. Given Dridex’s notoriety, Windows users should exercise caution while downloading and opening suspicious email attachments as well as URLs.