According to the security researcher MalwareTech, the gang behind the infamous Dridex banking Trojan is now trying out a new spam delivering tactic.
Recently, the expert has noticed that legitimate websites have been compromised by the Dridex devs to deliver spam messages to their victim, mostly to users living in the UK.
In this current campaign, the Dridex operators are experimenting with two new techniques.
The first one is the use of compromised servers for spam distribution instead of the previous network of compromised computers – the Necurs botnet. As it was such a novel tactic, security companies found it hard to uncover it and mark it as spam.
The second new technique is in the emails themselves as the malevolent files are now protected with a password.
“The malicious rtf (Word Document) has been encrypted with a password given in the email.” – MalwareTech explains – “This would prevent most automated systems from extracting and scanning the attachment for malicious code, as most aren’t able to handle password extraction or document decryption.”
It is quite hard for security experts to analyze and detect the malicious documents sent via this new technique. However, it is a piece of cake for users to find the password and use it to open the RTF files, which then trick the victims to enable macro script execution with a misleading message.
When they are executed, the macro scripts download and install the Dridex loader onto the victims` PCs, which is also different in this campaign compared to previous ones. MalwareTech says that this Dridex Loader starts a command-line interface and pings one of Google’s free DNS servers 250 times before doing anything malicious.
“Overall this campaign does seem to pack a bit more of a punch than the ones we’re used to, possibly with the intention of infecting corporate systems with more advanced threat protection rather than home users.” – he adds.
Before this, Dridex campaigns have been found to target smaller countries. Researchers also detected the first signs of the Trojan gearing up to hit crypto-currency wallets.