When it comes to financial crime, malware disruptions in 2014 changed the threat landscape by eliminating two prevalent malware families: the June takeover of Gameover Zeus (GOZ), which sent shockwaves through the criminal underworld, and a takedown of Shylock in July. Now, Dyreza and Dridex (also known as Bugat) have stepped into the void.
CrowdStrike’s annual Global Threat Intel Report pointed out that Dyreza takes a more simplistic approach to banking fraud, acting to intercept logins and perform malicious actions by acquiring the HTTP POST data from under banking SSL sessions. Dridex meanwhile uses the classic banking Trojan tactic of relying on complex JavaScript web injects targeted at the institutions it wishes to steal from.
“For some time, [the takedowns] left a void in this space, but adversaries were very quick to adapt,” CrowdStrike said in the study. “With many services that catered to GOZ and Shylock still in operation, it was inevitable other botnets would step up to the plate.”
Also, the report highlights Upatre, a loader previously used for delivering GOZ, which is now being used to deliver Dyreza. Also, the Cutwail and Pushdo botnets, previously tasked with distributing loaders for GOZ, have since been retasked. Alongside other spamming botnets, they are now delivering a number of phishing lures that ultimately lead to the infection with persistent payloads. Dridex, for example, favors Word documents with obfuscated macros.
CrowdStrike predicts the continuation of development in banking Trojans, including Dyreza and Dridex. As recently as November, Dridex has added peer-to-peer (P2P) functionality to its arsenal in an attempt to become more resilient.
In addition, it is likely new threats will follow the business model of using of phishing lures delivered by spambots using a range of first-stage loaders to keep their primary payloads under the radar.
The firm said that high-profile events continue to drive a significant number of financial campaign lures. In 2014, unpredictable events such as the Malaysia Airlines incidents and increased unrest in Ukraine drove campaigns more than planned events such as the World Cup or the G20 Summit. However, there was a high volume of Southeast Asia-based attacked targeting the World Cup over the summer, so big events should still place users on high alert.
In addition to the changing banking Trojan landscape, ransomware has also undergone a major shift throughout 2014 — in particular becoming much more professionally organized.
“CryptoLocker’s success made it the first ransomware variant to make it into prime-time news. Its success was, in part, due to its wide distribution, acting as an alternative revenue stream for the operators of GOZ,” CrowdStrike explained. “When GOZ was dismantled, CryptoLocker was also taken down, but now in its place many other copycat ransomware families are trying to replicate its success, such as CryptoWall and TorrentLocker.”
The firm predicts that for 2015, ransomware will continue to become more of a threat as continued copycats try to develop the next market leader.