Security researchers have found a new development with the Dridex Trojan, this time spotting that the attackers have refocused their aim at the banks based in the United Kingdom where large business accounts are being transacted.
It is almost as though the attacks made in recent weeks were not enough, where a great number of residents in the UK were targeted by infection campaigns that followed the release of an updated edition of the Dridex Trojan.
There is now a strong belief among security researchers that the newest version of the Dridex Trojan uses a network of bots called Andromeda that works to spread the infections across a vast span of computer networks.
In the beginning of the Trojan’s operations, only a few banks were affected by the infection. Days later, the number of banks targeted by the Trojan grew exponentially. It is barely any surprise that the attackers targeted banks in the UK, the Dridex Trojan being known to have a special fondness for high-value targets. In the case of the UK banks, the Trojan was interested in the business and corporate account access subdomains, according to researchers at IBM.
As with other tactics used by attackers, the Dridex Trojan works to lure potential victims into clicking a phony set of invoices that take on a Microsoft Office file format so that the Trojan is launched in the aftermath.
And then the Dridex Trojan redirects users to another website from the legitimate one when they would visit their bank’s website. The goal is to steal information about their login such as the username, password and email address. All this while the victims and the banks involved do not have any slight idea about what is going on in the background.
The Dridex Trojan brings the victims to a compromised site via local DNS poisoning instead of a local proxy such as those being used by other Trojans. There is nothing new about this technique, however. But it needs tremendous amount of preparation to perform. This preparation includes developing the exact replica of a website, in this case a bank’s site. This also requires a lot of investment, as it is necessary to trick the targeted victims.
Some security researchers believe that the developers behind Dridex bought site replicas from the Dyre team, another group of hackers that invented the older Dyre Trojan. It was reported in the past that government authorities from the FBI, US Justice Department and the National Crime Agency of UK took down a botnet associated with Dridex. But it appears the Trojan is still alive today.