A Warning about Dridex, a Malware that Abuses Larger Numbers of Illegitimate Websites
- Detect attacks with "D Alert", and release an analysis report -

Using the cyber risk information service "D Alert"^*, information security solution provider Digital Arts Inc. (headquarters: Chiyoda-ku, Tokyo, Japan; CEO: Toshio Dogu; Securities Code 2326) has detected a large number of emails that are thought to infect devices with the malware Dridex. We have also released an analysis report on the Dridex downloader.

Dridex is a type of data stealing banking malware that, when infected with, can steal information about authentication of online banking etc. There have been several reports about intrusion routes that lead to infection, most of which email based. Attacks have primary been seen overseas, but between January and March 2021, we confirmed a large number of emails that seemed to infect with Dridex and issued a "D Alert". Attack emails are sent under the guise of an invoice-related email, disguise sender and organization names as actual organizations, and contain attached Excel files that contain macros. If the attachments are opened and the malicious macros are executed, the malware is then downloaded from an illegitimate website and executed, leading to infection.

Trick to bypassing antivirus software and proxies with larger numbers of illegitimate websites

We verified the infection process using actual infected emails [Fig. 2].

The Dridex downloader uses the Excel file extension "xls" or "xlsm." When the macro is enabled and images inside the spreadsheet are clicked, the malicious macro is executed. Approximately 50 URLs are formed using pre-embedded characters in the spreadsheet. One is used at random to access an illegitimate website, which leads to Dridex infection.

The number of URLs used to download malware sometimes exceeded 100, almost all of which were illegitimate websites. URLs for websites in various languages such as corporate, news and e-commerce websites, and personal blogs, etc. were abused to install Dridex.

It's believed that illegitimate websites are used as they can delay detection by URL blacklists and antivirus software. In addition, as the download URL is chosen from a large number of other URLs at random, it's difficult for sandboxes etc. to pick up on.

"i-FILTER" Ver.10's download filter feature blocks downloads of Dridex

"i-FILTER" Ver.10 has a "download filter" feature that blocks downloads of malware embedded in websites. This feature also blocks downloads of Dridex embedded in the illegitimate websites.

Web security product "i-FILTER" Ver.10's download filter feature

Product details:

https://www.daj.jp/bs/i-filter/

Although wide scale email attacks that infect devices with Dridex have not been seen in Japan, the number of emails detected has begun to increase this year. Emotet, which caused widespread damage and mainly targeted overseas countries, began being seen in Japan at some point, causing damage domestically. What is happening overseas is expected to happen in Japan as well. These attacks are not limited to a specific business size or industry, so we recommend that you take the appropriate precautions with a product designed for this purpose.

Click here for an analysis report on Dridex

The following is available on our website.

Security Report:
Dridex - a Piece of Malware that Abuses Larger Numbers of Illegitimate Websites to Cause Infection via Email

https://www.daj.jp/security_reports/210309_1/

In addition, you can find the detection results of emails and URLs that are thought to lead to the infection of Dridex.

Cyber risk information service "D Alert"

https://www.daj.jp/bs/d-alert/archive/

• * Cyber risk information service "D Alert" is a free service that uses the features of "i-FILTER" Ver.10, "m-FILTER" Ver.5, "i-FILTER@Cloud" and "m-FILTER@Cloud" to inform customers suspected of being infected with malware and non-Digital Arts customers about infections and falsified information on websites.