Page 10 - 2Q2017 Reporter
P. 10

Dridex’s Microsoft


                                                     Trojan Horse



                                        by Elizabeth K. Madlem, Associate General Council,
       Elizabeth K.                                         Compliance Alliance
           Madlem


           It is the end of an era. Gone are the glamorized     starts the download of a “Dridex banking Trojan,”
       Hollywood bank robbers, with blazing tommy guns and      which installs a program whose sole purpose is to
       getaway cars; an iconic image, a recognizable threat.    steal banking information. The masterminds behind
       Now, the enemy is faceless, but the threat is much more   Dridex malware use Microsoft’s popular office software
       menacing. Cyber-warfare today is conducted more          to spread their banking Trojan by exploiting unpatched
       passively and much less publically as they infiltrate the   Microsoft Word vulnerability in all current versions of
       financial markets; siphoning off large amounts of data,   Microsoft Office. With an overwhelmingly massive
       including bank account details. Worth more than the      spam campaign, the malware targets and monitors a
       bullions of gold tucked away in any vault, the motives   victim’s traffic to bank sites; stealing the victim’s online
       for these crimes are often a mystery – as are their      banking credentials and financial data.
       targets. Large financial titans to small mom-and-pop         Emails will have an attached Microsoft RTF (Rich
       establishments, no one is safe from attack. The essential   Text Format) document. Messages and senders may
       information that allows financial institutions to thrive is   appear familiar: from “[device]@[recipient’s domain]” –
       now its Achilles’ heel.                                  with [device] being a “copier,” “documents,” “noreply,”
           In the past five years, the NSA, the world’s largest   “no-reply,” or “scanner.”  Typically, the subject line in all
       electronic spying agency, has been asked to provide      cases will read “Scan Data,” and include attachments
       advice and assistance to help banks assess their current   named “Scan_123456.doc” or “Scan_123456.pdf,”
       systems, and to better understand attackers’ maneuvers.  whereby “123456” is replaced by random numbers.
       The most common tool of the cyber assailant is to        Microsoft has publically known of this flaw since
       attack the financial institution’s website, known as     January 2017, and has released a series of patches in
       distributed denial-of-service, or DDoD, in which web     their updates within the past month.
       servers become overwhelmed with traffic, slowing their       Yet with the NSA’s recent infiltration of EastNets’
       responsiveness, and even crashing them altogether.       bank servers—a Dubai-based firm that oversees
       Only lasting an hour to two, these disruptions do not    payments in the global SWIFT transaction system
       necessarily involve data theft, but may cause massive    for client banks and other firms—which revealed
       interruptions to online banking services and day-to-day   detailed lists of hacked or potentially hacked targeted
       operations; the costs, often incalculable.               computers, as well as information on new fresh
           Recently, cyber-scammers are unleashing massive,     hacking tools that mainly target Windows versions, it
       highly-sophisticated email campaigns aimed at tricking   serves as a reminder that every internet-connected
       its recipients; with global giant, Microsoft, ensnared in   computer running Windows is open to hacking.
       the ploy. In the past, a typical email scam achieved its      Financial institutions should remain vigilant on all
       goals through common phishing schemes, like ones         Windows updates to make sure the patching is safe
       that pretend to be from the SEC or “You’re a Winner of   and up-to-date—from Dridex and all other threats.
       $1Million Dollars.” Victims accidentally click on links and   Banks should also monitor that third-party providers
       upload malware into their systems.                       patch their systems as well. Layered defenses and

           But now, Dridex malware (also known as Bugat and     redundant systems are key. Vigilance, education, and
       Cridex) specializes in stealing bank credentials using   a strictly-enforced internet and email policy are the
       unpatched zero-day flaws in Microsoft Word to deliver    best ways to defend.
       weaponized Word documents. Clicking on the document

                                                              7
        Second Quarter 2017                                                                          IllInoIs RepoRteR
   5   6   7   8   9   10   11   12   13   14   15