FoxPointe Security Hub

Dridex Malware Cyberattacks Increasing

Identity Theft

Dridex Malware

Last week, the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) released a joint alert focused on notifying financial institutions that an increasing number of cyberattacks utilizing the Dridex malware and several variants of that malware are being pointed at financial institutions and their customers. Dridex is not a new strain of malware, in fact it first appeared in 2012 and became very prevalent by 2015 as a financial trojan; however, the more recent versions of the malware are targeting a vulnerability that allows for remote execution of code specific to Microsoft Office and WordPad. It should be noted that Microsoft released a patch for this vulnerability in 2017, which stresses the importance of having strong patch management processes. Unsurprisingly, the malware is typically distributed through phishing campaigns where bad actors are using legitimate business names, in conjunction with spoofed domain names to coerce the receiver of the message to open and download the attached corrupted files.

Why the Increase in Cyber Attacks?

So why are we seeing an increasing number of attacks being pointed at Financial Institutions and their customers? Well, aside from the fact that financial institutions have an abundance of the two things cyber criminals covet most, money and data, Dridex malware has the ability to infiltrate browsers, detect access to online banking applications and steal customer login credentials. Once the bad actor has customer credentials, they are able to initiate ACH and wire transfers, open fraudulent accounts, among other malicious activities.

Cyber Risk Management

One thing that our team continues to stress is cybersecurity training for employees and educating consumers about the cyber risks associated with using internet and mobile banking products. While there are numerous cutting-edge technologies that can help detect and prevent phishing emails from reaching your end users, with time, there is always an increased risk that cybercriminals can find ways to bypass this technology. At this point, it’s estimated that 90 percent of all data breaches have an element of social engineering, which amplifies the importance of continuous education for end users, as people continue to be the greatest cyber threat.

Indicator Type Indicator Value Associated Activity
Email address info[@]antonioscognamiglio[.]it Dridex
Email address info[@]golfprogroup[.]com Dridex
Email address cariola72[@]teletu[.]it Dridex
Email address faturamento[@]sudestecaminhoes[.] Dridex
Email address info[@]melvale[.] Dridex
Email address fabianurquiza[@]correo.dalvear[.] Dridex
Email address web1587p16[@]mail.flw-buero[.]at Dridex
Email address bounce[@]bestvaluestore[.]org Dridex
Email address farid[@]abc-telecom[.]az Dridex
Email address bounce[@]bestvaluestore[.]org Dridex
Email address admin[@]sevpazarlama[.]com Dridex
Email address faturamento[@]sudestecaminhoes[.] Dridex
Email address pranab[@]pdrassocs[.]com Dridex
Email address tom[@]blackburnpowerltd[.] Dridex
Email address yportocarrero[@]elevenca[.]com Dridex
Email address s.palani[@][.]in Dridex
Email address faber[@]imaba[.]nl Dridex
Email address admin[@]belpay[.]by Dridex
IP address 62[.]149[.]158[.]252 Dridex
IP address 177[.]34[.]32[.]109 Dridex
IP address 2[.]138[.]111[.]86 Dridex
IP address 122[.]172[.]96[.]18 Dridex
IP address 69[.]93[.]243[.]5 Dridex
IP address 200[.]43[.]183[.]102 Dridex
IP address 79[.]124[.]76[.]30 Dridex
IP address 188[.]125[.]166[.]114 Dridex
IP address 37[.]59[.]52[.]64 Dridex
IP address 50[.]28[.]35[.]36 Dridex
IP address 154[.]70[.]39[.]158 Dridex
IP address 108[.]29[.]37[.]11 Dridex
IP address 65[.]112[.]218[.]2 Dridex

For your information, below, you can see a list of known email and IP addresses associated with the Dridex malware strain.

FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.

IP Addresses Associated with the Dridex Malware