Dridex Trojan posing serious financial theft threat

Symantec warns Dridex malware is using 'massive' spam campaigns to steal banking details

Tags: Banking and financeCyber crimeSymantec Corporation
  • E-Mail
Dridex Trojan posing serious financial theft threat The Dridex Trojan relies on sheer volume of spam emails to hit targets.
By  Mark Sutton Published  February 17, 2016

Symantec is warning of a financial theft Trojan which is being spread worldwide by a huge volume of spam emails.

The Dridex Trojan is being promulgated by millions of spam emails every day, according to the security company, making it one of the most dangerous cyber theft threats of recent years.

As part of research into the Dridex threat, Symantec said it detected at least 145 Dridex spam campaigns during one sample ten week period. The average number of emails blocked by Symantec per campaign was 271,019, indicating that the total number of emails being sent every day runs to millions.

Symantec security researcher Dick O'Brien warned that the sheer volume of spam emails was overwhelming some organisations: "Even organisations who are well protected against the group's malware can often struggle to cope with the sheer volume of spam the attackers send.

The malware was first detected in 2012, but attackers switched the method of propagation to "massive" spam email campaigns, Symantec said, and the malware's command and control (C&C) communications were switched to a peer-to-peer (P2P) format, greatly increasing the rate of spread and the network's resilience.

Dridex is designed to try to steal banking details from customers of over 300 financial organisations across 40 regions worldwide, particularly with a focus on wealthy English-speaking targets in Europe and Asia-Pacific.

Seventy-four percent of Dridex spam campaigns used real company names in the sender address and frequently in the email text. The vast majority of spam campaigns were disguised as financial emails, such as invoices, receipts, and orders. The spam was heavily focused on English speakers, with the majority of emails purporting to come from English-speaking companies.

Symantec said that the attackers behind Dridex appear to be well disciplined and professional, with constant refinements to the malware and "significant effort" going into disguising the spam campaigns as legitimate emails. The malware is believed to be the work of a professional gang, mainly based in Moldova.

Law enforcement action against the gang resulted in one arrest, and the removal of many PCs from the botnet, but the malware continues to spread so it is believed that Dridex still poses a serious threat, and will continue to do so well into 2016.

Infection numbers of Dridex peaked around June 2015 at 16,000 infections in one month, and have now levelled out at around 3,000 to 5,000 infections per month by end of 2015.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code