eBanking: Switzerland affected by dangerous Trojan horse

In many cases, the fraudsters try to trigger multiple payments to foreign recipients within a short period of time. Dridex malware is a well-known eBanking Trojan, which is usually spread via malicious Microsoft Office documents in emails from supposedly legitimate senders.

After infection, the Dridex malware searches for offline payment software on the infected computer, writes the Reporting and Analysis Center Melani. The software is usually used by companies to transmit a large number of payments via the Internet to one or more banks. The potential damage from computers compromised with this software is correspondingly high, writes the Reporting and Analysis Center for Information Assurance. Melani therefore urgently recommends that companies protect computers used for payment transactions accordingly.

Which manufacturers affected?

On the infected computer, Dridex currently searches for the following offline payment software or software from the following vendors:

• Abacus
• Abrantix
• Alphasys
• Argo Office
• Bellin
• Cashcomm
• CoCoNet
• Crealogix
• Epsitec
• financesuite
• Financesuite
• Macrogram
• Mammoth
• Mmulticash
• Moneta
• Multiversa
• Myaccessweb
• Omicron
• Quatersoft
• Softcash
• Softcrew
• Starmoney
• Trinity

If Dridex finds such payment software on the computer, further malware can be downloaded from the Internet, which is then used to capture fraudulent payments.

What to do?

To protect against attacks, Melani recommends securing computers used for payment transactions accordingly:

• For offline payment software and eBanking, use a dedicated computer on which you do not surf the Internet or receive emails.
• Use a collective signature via a second channel (e.g. eBanking) for the authorization of payments. Ask your bank about the corresponding options.
• If you use a hardware token (e.g. smart card, USB dongle), remove it after using the payment software.
• Do not save access data (contract number, password, etc.) for eBanking and payment software on the computer or in the software.
• Check with the manufacturer of your payment software for additional security measures and activate automatic software updates.
• Report suspicious payments to your bank immediately.

To prevent Dridex and other malware from infecting your organization, Melani also recommends the following measures:

• Make sure that potentially harmful email attachments are already blocked or filtered on your email gateway or spam filter. Dangerous email attachments use file extensions such as .js (JavaScript), .jar (Java), .bat (batch file), .exe (Windows executable), .cpl (control panel), .scr (screensaver) and others.
• Make sure that such dangerous email attachments are blocked even if they are sent to recipients in your organization in archive files, such as ZIP, RAR, or even in protected archive files (e.g. in a password-protected ZIP).
• Additionally, all email attachments that contain macros (e.g. Word, Excel or PowerPoint attachments with macros) should be blocked.