Page 10 - 2Q2017 Reporter
P. 10
Dridex’s Microsoft
Trojan Horse
by Elizabeth K. Madlem, Associate General Council,
Elizabeth K. Compliance Alliance
Madlem
It is the end of an era. Gone are the glamorized starts the download of a “Dridex banking Trojan,”
Hollywood bank robbers, with blazing tommy guns and which installs a program whose sole purpose is to
getaway cars; an iconic image, a recognizable threat. steal banking information. The masterminds behind
Now, the enemy is faceless, but the threat is much more Dridex malware use Microsoft’s popular office software
menacing. Cyber-warfare today is conducted more to spread their banking Trojan by exploiting unpatched
passively and much less publically as they infiltrate the Microsoft Word vulnerability in all current versions of
financial markets; siphoning off large amounts of data, Microsoft Office. With an overwhelmingly massive
including bank account details. Worth more than the spam campaign, the malware targets and monitors a
bullions of gold tucked away in any vault, the motives victim’s traffic to bank sites; stealing the victim’s online
for these crimes are often a mystery – as are their banking credentials and financial data.
targets. Large financial titans to small mom-and-pop Emails will have an attached Microsoft RTF (Rich
establishments, no one is safe from attack. The essential Text Format) document. Messages and senders may
information that allows financial institutions to thrive is appear familiar: from “[device]@[recipient’s domain]” –
now its Achilles’ heel. with [device] being a “copier,” “documents,” “noreply,”
In the past five years, the NSA, the world’s largest “no-reply,” or “scanner.” Typically, the subject line in all
electronic spying agency, has been asked to provide cases will read “Scan Data,” and include attachments
advice and assistance to help banks assess their current named “Scan_123456.doc” or “Scan_123456.pdf,”
systems, and to better understand attackers’ maneuvers. whereby “123456” is replaced by random numbers.
The most common tool of the cyber assailant is to Microsoft has publically known of this flaw since
attack the financial institution’s website, known as January 2017, and has released a series of patches in
distributed denial-of-service, or DDoD, in which web their updates within the past month.
servers become overwhelmed with traffic, slowing their Yet with the NSA’s recent infiltration of EastNets’
responsiveness, and even crashing them altogether. bank servers—a Dubai-based firm that oversees
Only lasting an hour to two, these disruptions do not payments in the global SWIFT transaction system
necessarily involve data theft, but may cause massive for client banks and other firms—which revealed
interruptions to online banking services and day-to-day detailed lists of hacked or potentially hacked targeted
operations; the costs, often incalculable. computers, as well as information on new fresh
Recently, cyber-scammers are unleashing massive, hacking tools that mainly target Windows versions, it
highly-sophisticated email campaigns aimed at tricking serves as a reminder that every internet-connected
its recipients; with global giant, Microsoft, ensnared in computer running Windows is open to hacking.
the ploy. In the past, a typical email scam achieved its Financial institutions should remain vigilant on all
goals through common phishing schemes, like ones Windows updates to make sure the patching is safe
that pretend to be from the SEC or “You’re a Winner of and up-to-date—from Dridex and all other threats.
$1Million Dollars.” Victims accidentally click on links and Banks should also monitor that third-party providers
upload malware into their systems. patch their systems as well. Layered defenses and
But now, Dridex malware (also known as Bugat and redundant systems are key. Vigilance, education, and
Cridex) specializes in stealing bank credentials using a strictly-enforced internet and email policy are the
unpatched zero-day flaws in Microsoft Word to deliver best ways to defend.
weaponized Word documents. Clicking on the document
7
Second Quarter 2017 IllInoIs RepoRteR