After nearly disappearing a couple of month ago, it seems like one of the most popular Banking Trojans, Dridex, is now back in the game.
Since June, the Dridex distribution hasn’t been at its best with only thousands of malicious messages detected, when its authors started massively and successfully distributing the Locky ransomware instead. However, a spike in the Dridex distribution has been recently noticed and, according to security experts from Proofpoint, the Trojan is once again gearing up and preparing for a comeback.
And yet, this new Dridex wave appears to be much smaller than the ones researchers have observed before. Proofpoint reveals that the latest campaigns are only at tens of thousands of messages, a number very unusual for a massive threat like Dridex. The increase in its distribution was noticed at the beginning of last week mostly hitting manufacturing organizations and financial services.
Most of the campaigns which have been monitored since June have been mostly targeting Switzerland, the UK, France and Australia. Proofpoint also says that lots of botnets IDs were involved in these attacks, including Dridex botnet 1124, 144, 1024, 124, and 38923.
Dridex botnet ID 228 was involved in one of the most recent Dridex waves, on 15th and 16th August, featuring a larger message number that the usual. The botnet contained configurations for banking sites in Australia, France, the UK and the US, while the email messages used in the run contained Word attachments (DOCM files) with malicious macros.
These Word files with “DOCM” extension containing malicious macros were observed in some of the latest Locky ransomware distribution campaigns. In the course of the last several months, Locky has been relying on different distribution tactics, before reverted to using macros again.
This particular Dridex wave` targets were Point of Sale (POS), various back-end payment processing and transfer and remote management applications. Apps have been on the Dridex black list before, but since August the list has many new additions.
On 11th August, one more Dridex campaign was detected targeting banking websites, some of which in Switzerland. It was also using malicious Word documents for spreading the Trojan as well as downloading and installing botnet ID 144. All attachments and messages in this campaign were in German which one of the most used languages in Switzerland.
Another campaign was noticed, this time in the middle of July, downloading and installing botnet ID 124. It relied on DOCM attachments as well and it was using messages, subject lines and names in German, the same as an attack in June that distributed Dridex botnet ID 38923 (which was targeted at numerous banking sites, including some in Switzerland).
Researchers add that the Trojan is also spread via exploit kits (EK). On 9th August, one of the most popular and widely used EK, Neutrino, was spotted dropping Dridex botnet ID 1024 in the UK and Switzerland.
“The recent shift to more targeted distribution and a growing set of capabilities suggest that Dridex may be taking on a new life even as the high-volume campaigns shift to distributing almost exclusively Locky and its associated payloads. While these large campaigns may have saturated many target countries, Dridex actors are still looking to monetize the malware by targeting a smaller number of large organizations, many in financial services.”– Proofpoint states.