What is the Dridex malware?
Dridex is malware that uses Microsoft Word macros to infect a system. It then creates a botnet to steal banking credentials and other sensitive personal information of the victims, gaining access to their financial records.
Dridex first appeared in 2014 and has since infected millions of computers. In 2015, financial theft caused by Dridex was around 20 million pounds in the UK and around 20 million dollars in the US.
How is Dridex related to Cridex?
The original version of Dridex was known as Cridex, and it first appeared in 2012. Cridex would act as a worm and self-replicate to infect other computers in the network using network drives or attached local storage devices. After infection, it would add the infected computer to a botnet and harvest the sensitive banking credentials of the victims.
The current version of Dridex first appeared in 2014. Like Cridex, Dridex adds the infected computer to a botnet and steals the victims’ sensitive credentials. But unlike Cridex, Dridex does not self-replicate. It typically infects a computer using spam emails. The victim typically gets a spam email with a Microsoft Word document attachment. On clicking on the attachment, macros download and install the malware on the victim’s computer.
Dridex malware updated itself significantly in November 2014. It started using Peer-to-Peer communication and decentralized its infrastructure, making it much harder to take down.
How does the Dridex malware infect a computer?
Dridex spreads through spam campaigns. Victims usually get spam emails with a Microsoft Word attachment. To make the spam emails look more authentic, the attackers often use real company names in the message body, subject line, or sender address. They may even use the same top-level domain as that of the actual company. In most cases, these spam emails disguise themselves as financial statements.
The attached Microsoft Word document contains a malicious macro. When a victim clicks on it and opens the attachment, the macro starts execution. It drops a .vbs file, which in turn downloads and installs Dridex in the victim’s computer.
So, to summarize, Dridex typically follows the steps mentioned below to infect a computer :
- A user receives a spam email with some Microsoft Word attachments disguised mostly as a financial statement.
- The user clicks on the attachment and it prompts to enable the macro.
- On enabling it, the macro starts execution and a malicious .vbs file is dropped.
- The .vbs file downloads and installs the Dridex malware.
How does the Dridex botnet steal the sensitive data of victims?
After infection, Dridex injects itself into popular web browsers and uses the Man-In-The-Browser attack to …
0 Comments