SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Sep 2016

Dridex banking trojan will soon target crypto-currency wallets

Future versions of the infamous and highly dangerous Dridex banking trojan will soon be able to steal credentials for several crypto-currency wallets, according to clues found in recent Dridex samples.

Dridex, also known as Bugat and Cridex, is the moniker of a banking trojan and the name of its botnet (infected devices) used to commit other types of illegal activities, such as sending spam.

The criminal group behind it, a true cyber-crime syndicate, has people working around the clock updating Dridex's source code with new features and new methods meant to help the trojan avoid getting flagged by security software. A recent Forcepoint report highlights some of the low-level code changes that have allowed Dridex to avoid malware researchers and security software in the past few months, but it also includes some clues about the trojan's future.

Dridex will ban computers it thinks belong to security researchers

Some of the most significant and extensive changes are to Dridex's configuration file, which is now transmitted from the C&C master server to its victims in an encrypted binary format, instead of a cleartext XML file.

While this has made reverse engineering and Dridex detection a real problem, the most interesting change is the fact that Dridex now comes with the ability to blacklist "suspicious" hosts. You see, Dridex doesn't flat-out infect its victims. The initial infection trojan, called the Dridex loader, collects information about each host and then sends it to the Dridex servers.

The type of information it collects includes data such as the computer's name, OS type, OS version, OS installation date, and system information like the list of installed software.

Across time, this has allowed the Dridex gang to build a database of users. Dridex's operators have realized that they could use this database to detect users who have security-related and reverse engineering software installed on their PCs.

In recent Dridex versions, the malware authors have banned certain workstations. As such, recent Dridex versions will refuse to send over the main Dridex infection modules if the local computer is found on one of its blacklists.

Forcepoint says this ban, or blacklist, is applied based on a list of installed software but enforced only based on the computer's username and OS installation date, which still allows researchers to get around it.

Dridex prepares to integrate Bitcoin wallets

This is a unique feature among banking trojans, but Dridex operators are also preparing a second unique feature. According to the same Forcepoint researchers, Dridex operators are now scanning infected systems for the names of popular crypto-currency wallets.

The trojan, which can already log credentials for online banking portals, PoS software, and professional backend banking software, is building a database of the most encountered crypto-currency wallet software, no doubt to add support for stealing Bitcoin and other digital currencies in future versions.

A list of the Bitcoin and crypto-currency wallets recent Dridex versions are scanning for can be seen below. Be advised that the trojan also scans for the names of other types of apps, but you'll quickly recognize the names of popular Bitcoin wallets such as Coinbase, Bitcore, CoinsBank, BreadWallet, and more.

    </> CODE

    < cmd id="5649" type="15" >
        <  fs  >crealogix,multiversa,abacus,ebics,agro-office,cashcomm,softcrew,coconet,macrogram,mammut,omikron,multicash,quatersoft,alphasys,wineur,epsitec,myaccessweb,bellin,financesuite,moneta,softcash,trinity,financesuite,abrantix,starmoney,sfirm,migrosbank,migros bank,online banking,star money,multibit,bitgo,bither,blockchain,copay,msigna,armory,electrum,coinbase,magnr,keepkey,coinsbank,coolwallet,bitoex,xapo,changetip,coinapult,blocktrail,breadwallet,luxstack,airbitz,schildbach,ledger nano,mycelium,trezor,coinomi,bitcore< / fs >
    < / cmd >
Tags:
Dridex information leaks
Source:
Softpedia
2026
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015