Dridex infected computers are incorporated into a modular botnet that allows them to add new malicious features, their own or external, through modules or libraries. In fact, during 2015 Dridex caused millions in losses in several European countries and the United States, and then disappeared. Now, however, the Dridex Trojan is back, apparently with harder-to-detect versions.
The first version appeared in late 2014; A new major update was released in early 2015 and the second version of the Trojan was passed. When it comes to the major versions of Dridex, the most stable and robust version to date has been the third, which was released in April 2015 and has been used in all known attack campaigns up to the fourth version, now the last known version is version 4 which was first found in February 2017.
This computer virus uses e-mails with attached files, eg an invoice, in Word or Excel format that asks for Macros to be activated to open it. Once downloaded, it infects the device and steals the online banking passwords stored in the browser. If we do not have the password memorized, the virus waits until we enter our bank’s website. Once with our credentials in your possession, you get full access to our accounts and make a transfer to the account of a “mule”.
The new variant of this banking threat incorporates new functionalities. One of these new features is AtomBombing, which aims to perform code injection without calling suspicious APIs to avoid being detected by monitoring systems. On the other hand, it also incorporates the DLL hijacking technique to obtain persistence and several optimizations are made in the cryptographic methods used to obtain the configuration.
The best we can do is:
▸Don’t click on attachments if you’re not sure what it is.
▸Do not run Macros, even if they ask us to.
▸If you use online banking, do not record your passwords and when entering them make sure that you are on the official website of your bank.
▸Use a legal and updated antivirus and operating system. If you don’t have an antivirus license, most manufacturers provide a free version of antivirus or full-featured demos.
See also:
Janeleiro is a threat to personal and banking data
Black Box – An attack targeting ATMs
