The attackers used macros in the office suite to inject the Dridex banking trojan on targeted computers.

Another change has been the targets.

Like its precursors, Dridex is a sophisticated Banking Trojan, similar to the infamous Zeus malware.

Microsoft Word becomes preferred channel for delivering Dridex banking trojan

Dridex uses an XML-based configuration file to specify which websites it should target and other options for the malware.

.(swf)($|?

*/login/^https?

Microsoft Word becomes preferred channel for delivering Dridex banking trojan

://accounts.google.com/ServiceLoginAuth^https?

://login.yahoo.com/^https?

://login.live.com/^https?://(\w+.

spot_img

)?aol.com^https?://(\w+.

)?facebook.com/^https?://(\w+.

)?google^https?://(\w+.

)?yahoo^https?://(\w+.

)?youtube.com^https?://(\w+.

)?live.com^https?://(\w+.

)?twitter.com^https?://(\w+.

)?vk.com^https.

*ocsp..+$^https.

*safebrowsing..+$^https?

://fhr.data.mozilla.com^https://s.

*.symcd.com^https://s.

*.symcb.com^https.

)lphbs.com(//|.

Different versions of Dridex will thus be downloaded all having the same purpose, stealing banking credentials.

The Remedy

This trojan uses macros in the Office suite.

So the best approach to prevent such a trojan is to disable macros right from the beginning.

A user can however, enable and use them whenever desired.

Resource :Palo Alto Networks Research Centre

Read More

source: www.techworm.net