Last week, the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) released a joint alert focused on notifying financial institutions that an increasing number of cyberattacks utilizing the Dridex malware and several variants of that malware are being pointed at financial institutions and their customers. Dridex is not a new strain of malware, in fact it first appeared in 2012 and became very prevalent by 2015 as a financial trojan; however, the more recent versions of the malware are targeting a vulnerability that allows for remote execution of code specific to Microsoft Office and WordPad. It should be noted that Microsoft released a patch for this vulnerability in 2017, which stresses the importance of having strong patch management processes. Unsurprisingly, the malware is typically distributed through phishing campaigns where bad actors are using legitimate business names, in conjunction with spoofed domain names to coerce the receiver of the message to open and download the attached corrupted files.
Why the Increase in Cyber Attacks?
So why are we seeing an increasing number of attacks being pointed at Financial Institutions and their customers? Well, aside from the fact that financial institutions have an abundance of the two things cyber criminals covet most, money and data, Dridex malware has the ability to infiltrate browsers, detect access to online banking applications and steal customer login credentials. Once the bad actor has customer credentials, they are able to initiate ACH and wire transfers, open fraudulent accounts, among other malicious activities.
Cyber Risk Management
One thing that our team continues to stress is cybersecurity training for employees and educating consumers about the cyber risks associated with using internet and mobile banking products. While there are numerous cutting-edge technologies that can help detect and prevent phishing emails from reaching your end users, with time, there is always an increased risk that cybercriminals can find ways to bypass this technology. At this point, it’s estimated that 90 percent of all data breaches have an element of social engineering, which amplifies the importance of continuous education for end users, as people continue to be the greatest cyber threat.
| Indicator Type | Indicator Value | Associated Activity |
|---|---|---|
| Email address | info[@]antonioscognamiglio[.]it | Dridex |
| Email address | info[@]golfprogroup[.]com | Dridex |
| Email address | cariola72[@]teletu[.]it | Dridex |
| Email address | faturamento[@]sudestecaminhoes[.]com.br | Dridex |
| Email address | info[@]melvale[.]co.uk | Dridex |
| Email address | fabianurquiza[@]correo.dalvear[.]com.ar | Dridex |
| Email address | web1587p16[@]mail.flw-buero[.]at | Dridex |
| Email address | bounce[@]bestvaluestore[.]org | Dridex |
| Email address | farid[@]abc-telecom[.]az | Dridex |
| Email address | bounce[@]bestvaluestore[.]org | Dridex |
| Email address | admin[@]sevpazarlama[.]com | Dridex |
| Email address | faturamento[@]sudestecaminhoes[.]com.br | Dridex |
| Email address | pranab[@]pdrassocs[.]com | Dridex |
| Email address | tom[@]blackburnpowerltd[.]co.uk | Dridex |
| Email address | yportocarrero[@]elevenca[.]com | Dridex |
| Email address | s.palani[@]itifsl.co[.]in | Dridex |
| Email address | faber[@]imaba[.]nl | Dridex |
| Email address | admin[@]belpay[.]by | Dridex |
| IP address | 62[.]149[.]158[.]252 | Dridex |
| IP address | 177[.]34[.]32[.]109 | Dridex |
| IP address | 2[.]138[.]111[.]86 | Dridex |
| IP address | 122[.]172[.]96[.]18 | Dridex |
| IP address | 69[.]93[.]243[.]5 | Dridex |
| IP address | 200[.]43[.]183[.]102 | Dridex |
| IP address | 79[.]124[.]76[.]30 | Dridex |
| IP address | 188[.]125[.]166[.]114 | Dridex |
| IP address | 37[.]59[.]52[.]64 | Dridex |
| IP address | 50[.]28[.]35[.]36 | Dridex |
| IP address | 154[.]70[.]39[.]158 | Dridex |
| IP address | 108[.]29[.]37[.]11 | Dridex |
| IP address | 65[.]112[.]218[.]2 | Dridex |
For your information, below, you can see a list of known email and IP addresses associated with the Dridex malware strain.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.