Dridex

Last updated
Dridex
Type Trojan
SubtypeBanking trojan
Authors Necurs Maksim Yakubets

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word. [5]

Contents

The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

The primary objective of this software is to steal banking information [6] from users of infected machines to immediately launch fraudulent transactions. Bank information for the software installs a keyboard listener and performs injection attacks. During 2015, theft caused by this software was estimated at £20 million in the United Kingdom and $10 million in the United States. By 2015, Dridex attacks had been detected in more than 20 countries. In early September 2016, researchers spotted initial support for targeting cryptocurrency wallets. [7]

In December 2019, US authorities filed charges against two suspects believed to have created the Dridex malware, including the group's alleged leader. [8]

Evil Corp

Evil Corp (a.k.a.Dridex and INDRIK SPIDER) is a Russian hacking group that has been active since 2009. [9] In 2019, the Federal Bureau of Investigation (FBI) named nine alleged members of the group, accusing them of extorting or stealing over $100,000,000 through hacks that affected 40 countries. [10] The United States Department of the Treasury additionally imposed sanctions against the group. [11] In November 2021, the British Broadcasting Company published an investigation which found that the two alleged leaders of the group were living openly in Russia. [10] [12]

In June of 2022, Mandiant reported that Evil Corp was using off-the-shelf ransomware, such as LockBit, to conceal their identity and evade sanctions. [13] The Office of Foreign Assets Control sanctioned Evil Corp in December 2019 over development and use of Dridex malware. [13] People in the United States were banned from "engaging in transactions" with Evil Corp. [13] People outside the US may be subject to secondary sanctions for knowingly facilitating significant transactions with Evil Corp. [13] The US government also charged two members of the gang and offered a reward of $5 million dollars. [13]

Mandiant has linked the group to threat actor UNC2165. [13]

Emsisoft analysts said in December 2021 that they suspected a ransomware infection in which REvil was a suspect was in fact the work of Evil Corp. [13]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

<span class="mw-page-title-main">Maksim Yakubets</span> Ukrainian national and a computer expert (born 1987)

Maksim Viktorovich Yakubets is a Russian computer expert and alleged computer hacker. He is alleged to have been a member of the Evil Corp, Jabber Zeus Crew, as well as the alleged leader of the Bugat malware conspiracy. Russian media openly describe Yakubets as a "hacker who stole $100 million", friend of Dmitry Peskov and discussed his lavish lifestyle, including luxury wedding with a daughter of FSB officer Eduard Bendersky and Lamborghini with "ВОР" registration plate. Yakubets's impunity in Russia is perceived as clue of his close ties with FSB, but also criticized by domestic information security experts such as Ilya Sachkov.

Trickbot was a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

On October 27, 2021, a Russian hacker group known as Grief published 13 documents attributed to the National Rifle Association of America (NRA) in a ransomware scam, claimed to have hacked the organization, and threatened to release more NRA documents if the undisclosed ransom was not paid.

References

  1. "Cyberthreats, viruses, and malware - Microsoft Security Intelligence". Microsoft .
  2. "Trojan.Dridex".
  3. "Search - Threat Encyclopedia".
  4. "Fortiguard".
  5. "Someone Hijacks Botnet Network & Replaces Malware with an Antivirus". 2016-02-04. Retrieved 2017-01-11.
  6. Jeremy Kirk (2016-01-19). "Dridex banking malware adds a new trick". PCWorld . Retrieved 2017-01-11.
  7. Catalin Cimpanu (2016-09-07). "Dridex Banking Trojan Will Soon Target Crypto-Currency Wallets". Softpedia . Retrieved 2017-01-11.
  8. Cimpanu, Catalin (December 5, 2019). "US charges two members of the Dridex malware gang". ZDNet. Retrieved December 8, 2019.
  9. Mujezinovic, Damir (2021-09-10). "Evil Corp: A Deep Dive Into One of the World's Most Notorious Hacker Groups". MakeUseOf . Archived from the original on 2021-09-10. Retrieved 2021-11-23.
  10. 1 2 Tidy, Joe (2021-11-17). "Evil Corp: 'My hunt for the world's most wanted hackers'". BBC News . Retrieved 2021-11-23.
  11. "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware". U.S. Department of the Treasury . December 5, 2019. Archived from the original on 2019-12-05. Retrieved 2021-11-23.
  12. White, Debbie (November 17, 2021). "Hackers accused of stealing $100m live openly in Russia". The Times . ISSN   0140-0460 . Retrieved 2021-11-23.
  13. 1 2 3 4 5 6 7 Burt, Jeff (2022-06-03). "Even Russia's Evil Corp now favors software-as-a-service". The Register . Retrieved 2022-06-04.