Protect yourself against Dridex

Dridex banking malware

The Dridex banking malware (and Bartalex) is one of the cyber security threats that organizations face today. The malware attempts to steal credentials for banking websites and acquire personal information entered into websites that are of interest to the attackers.

It uses HTML injections and changes often, making it harder for antivirus solutions to detect it.

Dridex is delivered in three stages.

  1. A spam campaign delivering an e-mail with an attachment;
  2. A Word document with a macro;
  3. The actual Dridex malware, downloaded by the macro.

How do you protect yourself against Dridex?

An antivirus solution will only partly protect you against Dridex. It’s characteristics change so often that it becomes a cat and mouse game for the attackers and antivirus-signature writers, desperately trying to catch up. Signature based detection is not suited for this type of malware. There will always be a window of opportunity for the attackers. During that window they can deliver a new slightly modified version of the malware. It will take some time before it’s picked up by antivirus provider and incorporated in their signatures.

Basically there are two measures that help you in being protected against Dridex. Don’t open an attachment you’ve not asked for. Have macro’s in Office disabled. If you’re working in an IT environment that still has Office macro’s enabled by default then you should point out that this is really not a good idea.

A detailed overview of what you can do for protecting end users against Dridex :

  1. Have Office macros disabled by default;
  2. Use attachment sandboxing;
    • Ideally you extract any type of archive file and observe its behavior;
    • Open attachments in sandboxes before they are being delivered to the end-user;
  3. Raise awareness amongst your users that they should not open attachments that they did not ask for;
  4. Educate your users to hover above the URL in e-mails and manually verify it links to the intended location (ideally you force e-mails to be displayed in text only);
  5. Use a host intrusion detection / prevention system that prevents applications from being executed in temporary folders;
  6. Have your antivirus signatures updated so that at least older versions of Dridex are detected;
  7. Only allow whitelisted executables to be run by end-users;
  8. Update your blacklists for proxies, firewalls, etc. frequently so that you detect traffic related to older versions of Dridex;

How do you protect your customers against Dridex?

As a service provider there’s not a lot that you can do to protect your customers. A couple of good practices can help though :

  1. Use your own domain in all your e-mail communication. Don’t use a third party (e-mail) domain for surveys, online help or campaigns;
  2. Educate your customers, explain them how you communicate so that they can more easily differentiate between legitimate and fake messages;
  3. Don’t create a habit of sending e-mails with PDFs or Word documents;
  4. Provide two factor authentication;
  5. Digitally sign your e-mail messages;

Leave a Reply

Your email address will not be published. Required fields are marked *