This Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) to identify and share information with the financial services sector. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware and variants. The report provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning. For information regarding the malicious cyber actors responsible for the development and distribution of the Dridex malware, see the Treasury press release, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware and the FBI press release, Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware.
This Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated entities. Except where noted, there is no indication that the actual owner of the email address was involved in the suspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify appropriate law enforcement and the CIG.
For a downloadable copy of IOCs, see:
The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.
Actors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals ([email protected]), administrative ([email protected], [email protected]), or common “do not reply” local parts ([email protected]). Subject and attachment titles can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, “itinerary”, and others.
The e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with names that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening of the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may include a long, substantive message, providing multiple points of contact and context for the malicious attachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames from scanners to filenames purporting to reference financial records. Attachments may or may not have direct references using the same file name or strings of numbers in the bodies of the e-mails.
Example Links and Filenames(Note: link information is representative. Italicized statements are automatically generated by the cloud storage provider. # represents a random number.):
Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider)[.]COM/S/(Cloud Account Value) /RECENT%20WIRE%20PAYMENT %######.SCR?(Cloud Provided Sequence)
Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider) [.]COM/S/ Cloud Account Value/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (Cloud Provided Sequence)
Link: Malicious File: ID201NLD0012192016.DOC
Attachments or eventual downloads can take a variety of formats. In some instances, malware downloaders are concealed in compressed files using the ZIP or RAR file formats. Occasionally compressed files within compressed files (double zipped) are used. The compressed files can include extensible markup language (.xml), Microsoft Office (.doc, .xls), Visual Basic (.vbs), JavaScript (.jar), or portable document format (.pdf) files. Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware. In other cases, macros launch scripts that extract executables imbedded in the document as opposed to downloading the payload.
By default, software generally prevents execution of macros without user permission. Attached files, particularly .doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download. Malicious files sometimes even include screenshots of the necessary actions to enable macros.
Dridex malware operates from multiple modules that may be downloaded together or following the initial download of a “loader” module. Modules include provisions for capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017.
Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files. The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity.
The Dridex malware has evolved through several versions since its inception, partially to adapt to updated browsers. Although the characteristics described reflect some of the most recent configurations, actors continue to identify and exploit vulnerabilities in widely used software.
While Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to represent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it shares some of their codes. Although the previous variants’ theft activities operate in mostly the same way, the P2P communication aspects of Dridex improve its concealment and redundancy.
Actors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at nearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions and resulted in data and financial loss.
Locky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide footprint, with varying impact depending on victim IT policies and practices and network configurations.
Although the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware distribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of attacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky campaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp or TA505. (Note: some cybersecurity industry reporting simply refers to the actors as “Dridex” or the “Dridex hackers.”) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day, although volume of messages varies widely.
The following indicators are associated with the activity described in this report:
Indicator Type | Indicator Value | Associated Activity |
---|---|---|
Email address | info[@]antonioscognamiglio[.]it | Dridex |
Email address | info[@]golfprogroup[.]com | Dridex |
Email address | cariola72[@]teletu[.]it | Dridex |
Email address | faturamento[@]sudestecaminhoes[.]com.br | Dridex |
Email address | info[@]melvale[.]co.uk | Dridex |
Email address | fabianurquiza[@]correo.dalvear[.]com.ar | Dridex |
Email address | web1587p16[@]mail.flw-buero[.]at | Dridex |
Email address | bounce[@]bestvaluestore[.]org | Dridex |
Email address | farid[@]abc-telecom[.]az | Dridex |
Email address | bounce[@]bestvaluestore[.]org | Dridex |
Email address | admin[@]sevpazarlama[.]com | Dridex |
Email address | faturamento[@]sudestecaminhoes[.]com.br | Dridex |
Email address | pranab[@]pdrassocs[.]com | Dridex |
Email address | tom[@]blackburnpowerltd[.]co.uk | Dridex |
Email address | yportocarrero[@]elevenca[.]com | Dridex |
Email address | s.palani[@]itifsl.co[.]in | Dridex |
Email address | faber[@]imaba[.]nl | Dridex |
Email address | admin[@]belpay[.]by | Dridex |
IP address | 62[.]149[.]158[.]252 | Dridex |
IP address | 177[.]34[.]32[.]109 | Dridex |
IP address | 2[.]138[.]111[.]86 | Dridex |
IP address | 122[.]172[.]96[.]18 | Dridex |
IP address | 69[.]93[.]243[.]5 | Dridex |
IP address | 200[.]43[.]183[.]102 | Dridex |
IP address | 79[.]124[.]76[.]30 | Dridex |
IP address | 188[.]125[.]166[.]114 | Dridex |
IP address | 37[.]59[.]52[.]64 | Dridex |
IP address | 50[.]28[.]35[.]36 | Dridex |
IP address | 154[.]70[.]39[.]158 | Dridex |
IP address | 108[.]29[.]37[.]11 | Dridex |
IP address | 65[.]112[.]218[.]2 | Dridex |
Treasury and CISA encourage users and organizations to:
The following mitigation recommendations respond directly to Dridex TTPs:
The National Institute of Standards and Technology (NIST) has published additional information on malware incident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops:
The National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies (This is the current website for Top 10 mitigation strategies: <https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1>). Aligned with the NIST Cybersecurity Framework, the Strategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat (APT) actors.
The _Strategies _counter a broad range of exploitation techniques used by malicious cyber actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and best practices will be required to mitigate the occurrence of new tactics.
Reporting Suspected Malicious Activity
To report an intrusion and request resources for incident response or technical assistance, contact CISA ([email protected] or 888-282-0870), FBI through a local field office (<https://www.fbi.gov/contact-us/field-offices>), or FBI’s Cyber Division ([email protected] or 855-292-3937).
Institutions should determine whether filing of a Suspicious Activity Report (“SAR”) is required under Bank Secrecy Act regulations. In instances where filing is not required, institutions may file a SAR voluntarily to aid FinCEN and law enforcement efforts in protecting the financial sector. Financial institutions are encouraged to provide relevant cyber-related information and indicators in their SAR reporting. For questions regarding cyber SAR filing, please contact the FinCEN Resource Center ([email protected] or 1-800-767-2825).
The following represents an alphabetized selection of open-source reporting by U.S. government and industry sources on Dridex malware and its derivatives:
December 5, 2019: Initial version|December 5, 2019: Added links to Treasury and FBI press releases|January 2, 2020: Updated CISA contact information
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf
blog.avast.com/a-closer-look-at-the-locky-ransomware
blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
blogs.cisco.com/security/talos/spam-dridex
blogs.forcepoint.com/blog/security-labs/new-year-new-look-dridex-compromised-ftp
home.treasury.gov/news/press-releases/sm845
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Dridex%20Malware+https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
www.alertlogic.com/resources/threat-reports/dridex-malware-has-evolved-to-locky-ransomware/
www.cisecurity.org/wp-content/uploads/2018/09/MS-ISAC-Cyber-Crime-Technical-Desk-Reference.pdf
www.cyber.nj.gov/threat-profiles/trojan-variants/dridex
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a&title=Dridex%20Malware
www.fbi.gov/contact-us/field-offices
www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/
www.forbes.com/sites/thomasbrewster/2015/10/13/dridex-botnet-takedown/#2b883f00415b
www.fox-it.com/en/about-fox-it/corporate/news/fbi-announces-dridex-gang-indictments-praises-fox/
www.instagram.com/cisagov
www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens?hootPostID=629d449ac4fd1b12d37f66d6551dbec1
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
www.nist.gov/publications/guide-malware-incident-prevention-and-handling-desktops-and-laptops
www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1
www.oig.dhs.gov/
www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day
www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return
www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation
www.securityweek.com/dridex-still-active-after-takedown-attempt
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
www.symantec.com/connect/blogs/dridex-and-how-overcome-it
www.us-cert.gov/ncas/alerts/TA15-286A
www.us-cert.gov/ncas/alerts/TA15-286A,%2013%20October%202015
www.us-cert.gov/sites/default/files/publications/AA19-339A_WHITE.csv
www.us-cert.gov/sites/default/files/publications/AA19-339A_WHITE_stix.xml
www.usa.gov/
www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Dridex%20Malware&body=www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a