IBM threat analyst Limor Kessem says the Dridex trojan has been revamped and for the last fortnight has targeted rich UK bank accounts in an expensive and well-resourced campaign.
The gang behind the malware, dubbed Evil Corp, released the update to Dridex detected 6 January such that it would go after the richest British businesses with polished phishing campaigns.
Dridex is among the top three worst banking malware families and borrows tricks from top villain Dyre, and is detected by only a handful of antivirus platforms.
US businesses alone are said to have lost more than a billion in 2014 to business email compromise, a somewhat different attack to Dridex that targets CEOs with fake invoices.
Dridex goes further infecting machines such that efforts to reach legitimate bank sites pushes victims to phishing pages.
It is slung over the popular Andromeda botnet and is hitting inboxes masquerading as business invoices, which when clicked, will infect machines such that visitors are redirected from legitimate bank sites to malicious versions.
IBM's "X-Force researchers studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology," Kessem says.
"By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.
"When Dyre started using this scheme, it was targeting over a dozen banks; a rather resource-intensive operation that eventually drove Dyre’s operators to switch back to using web injections and page replacements."
Kessem says DNS cache poisoning on local endpoints pushes users to the expensive bank site replicas.
Here attackers insert fake addresses for domains forcing browsers to route traffic the malicious servers as long as the entry remains cached. ®