Romanian online banking users have been for the past few days the target of a new, customized wave of spam messages sent by Dridex, a new Trojan-type backdoor that steals users’ login details. According to a press release received by Agerpres, Bitdefender experts warn that the virus targets users of two local banks.
According to experts, Dridex is a relatively new virus, which has evolved from Cridex, another Trojan horse malware, the successor of the infamous virus Zeus.
The Trojan horse backdoor Dridex is currently configured to target two Romanian banks. In order to snatch the login credentials, the program uses several modules: in the case of banks that use the virtual keyboard when entering passwords, the virus takes screenshots at every mouse click, while for the second bank it uses a module that injects a code in the login page.
“The backdoor spreads either via an executable file attached to spam messages, either via links that automatically download the malware once clicked on. This new campaign uses Word and Excel files that include a macro code. They install a generic downloader that downloads and runs Dridex. Between August 10-17, the messages appeared to have been sent by Romanian companies and pretended to contain important financial documents for the user. If the user opens the Word file and activates the macro function, (automatically disabled by Word in order to avoid security risks), Word will automatically launch the process of downloading the virus. The Dridex malware is a DLL file which is injected into the explorer.exe process, and from there it will monitor the user’s banking and browsing activity, regardless of the browser it uses: Firefox, Google Chrome or Internet Explorer”, Bitdefender informs.
The experts are warning that identifying Dridex on a computer that has already been infected is difficult.
“In order to remain undetected, the virus adds itself to the programs running together with the operation system only prior to computer’s shutdown. After the PC is put back on, the virus removes itself from the list of programs running automatically, which makes it virtually invisible. In case of power outage or sudden shutdown, the virus will not be able to execute, as it is not included in the list of applications to be restarted”, the above-mentioned source states.
Bitdefender recommends that users put in place a powerful and up-to-date security software and to avoid clicking on links received via e-mail from unknown users. If they suspect that their computers are infected, the users can try pressing the restart button in order to prevent the running of the virus once the computer is restarted. Also, it is advised that they contact their banks and change the login credentials as soon as possible.