The Ancient Greek story of the Trojan Horse describes how Greek soldiers took over the city of Troy by hiding inside a giant wooden structure, which they offered as a gift.
The story is most likely a myth, historians say, but Trojan horse malware is as real as it gets: it's a type of malicious software that conceals its true intent in order to invade a computer or a network. And one of the most prolific banking Trojans of all time is Dridex.
So how does Dridex work? Is it still a threat? And how can you avoid falling victim?
What Is Dridex and How Does It Work?
Dridex first appeared in 2011 under the name Cridex, but it is also known as Bugat. It is thought to have evolved from the Zeus Trojan, which was widespread at the time.
Designed to steal banking credentials from users of Windows machines, Dridex is typically deployed via email and installed through a Microsoft Office file.
Here's how Dridex attacks usually take place.
First, cybercriminals obtain thousands of email addresses and send messages containing malicious Word or Excel files. They use a rudimentary social engineering technique to trick the target into downloading and opening the file—impersonate a legitimate entity, like for example PayPal or UPS.
To view the downloaded file, the victim has to enable editing, which allows the macro viruses embedded in the document to execute. Once the target's computer is infected, the malware starts recording keystrokes and capturing banking credentials.
Several iterations of Dridex have been released into the wild since 2011, with the malware continually evolving and becoming more complex. It has gone from targeting individuals to being deployed against banking institutions and major organizations.
Up until 2016, Dridex mostly targeted bank accounts in Europe and Asia, but then shifted its focus to the United States.
In early 2021, for instance, as Americans were struggling to make ends meet due to the coronavirus pandemic, a new Dridex campaign emerged: thousands received emails from what appeared to be the Internal Revenue Service (IRS) asking them to fill out a form to apply for American Rescue Plan stimulus checks.
According to the US government, Dridex has done major damage to hundreds of banks and financial institutions in over 40 countries around the world, causing upwards of $100 million in theft.
Notably, when a new version of Dridex appears, older versions stop working, which shows that the same people have been involved in its development and deployment for nearly a decade.
It is widely believed that the notorious Russian cybercrime outfit Evil Corp is behind Dridex.
The group appears to have ties to Russian intelligence. Its alleged leader Maksim Yakubets was charged in 2019 by the US Justice Department, which is offering a $5 million reward for information leading to his arrest.
Why Is Dridex Still a Major Threat?
As an ever-evolving strain of malware, Dridex remains a major threat to banks, businesses, and individuals alike for several reasons.
The malware, especially its latest iterations, is nearly undetectable, can bypass anti-malware software, and hardly leaves any footprints on an infected system.
Unlike most Trojans, Dridex has the ability to masquerade as a legitimate Windows system process and uses a sophisticated Application Whitelisting technique to evade detection.
In April 2021, cybersecurity researchers at Check Point described Dridex as the most prevalent malware in the world.
The threat posed by Dridex has become two-fold. Though dangerous on its own, this malware is also used in the initial stages of ransomware attacks, in which a cybercriminal deploys malware that encrypts an organization's data and demands a ransom payment to unlock it.
Ransomware attacks have been on the rise since the onset of the COVID-19 pandemic, with the transition to remote work exposing organizations to more risk.
According to some estimates, ransomware cost businesses around the world approximately $20 billion in 2020 compared with $11 billion in 2019, which makes ransomware attacks by far the fastest growing cyberthreat.
How to Protect Against Dridex
There is pretty much only one way to find out if your antivirus software is capable of detecting Dridex, but obviously it would be very unwise to take that risk.
It goes without saying that you should never click on suspicious attachments or links, but scam emails that mimic legitimate entities are sometimes nearly flawless and one could very easily make the mistake of downloading an infected attachment.
This is why you always need to pay attention to the email address of the sender, not just their name. A genuine email from the online payment service Payoneer, for example, will always come from the official domain (e.g. noreply@payoneer.com).
If you're not sure whether an email is legitimate or not, you can always google the sender's address and see what comes up.
If you happen to download a file that seems suspicious, do not open it. Instead, head over to VirusTotal and upload the file there—this tool will quickly scan the file for dangerous content.
VirusTotal can also scan web addresses to determine if they're safe. However, like any other tool, it has its limitations, so it's always best to double check if an email address is genuine.
As for private companies and similar organizations, even those that use strong malware protection can fall victim to a cyberattack; employees are by far the most common cause of breaches.
For this reason, employers should educate staff on different types of malware and strive to create a healthy workplace culture centered around safe cybersecurity practices.
Purchasing employee monitoring software is always an option, and arguably the best way to keep tabs on an employee and monitor their online activity. Note that some monitoring tools are invasive and should be avoided.
Employers that feel like an additional layer of security is necessary should also consider investing in Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
A combination of IDS and IPS technology offers robust protection against most threats, including Dridex.
Practice Basic Security Measures
Dridex remains a huge threat to everyone, but you can minimize the risks by taking simple security procedures.
That includes being suspicious of any unwarranted emails, not clicking on links or attachments, and regularly scanning for viruses. The risk is still there, as is always the case, but it's nonetheless reduced.