Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence in the financial threat landscape. The Dridex campaign attributed to Botnet 220 is very focused on UK financials and tries to accomplish its scam by utilizing different mechanics.
For certain targeted banks’ pages, Botnet 220 uses classic webinjects in which it injects a malicious script from an attacker’s domain directly into the original bank page.
The injected code has thousands of lines of code and is mostly focused on stealing login credentials, including one-time passwords, grabbing personal details and account balances. It also contains automatic transaction infrastructure which was not invoked in the malicious scripts that we have analyzed, but could be easily leveraged once the fraudsters decide to act.
A certain bank was targeted by a dedicated malicious script containing slightly different automatic transactions functionality. The injected script ships with two “fake pages” that are shown to the victim instead of the original page. The first one asks for the answer to the security question and asks to generate a security code using a Secure Key device with an excuse that the victim has entered incorrect information in one or more fields.