Dridex Botnet Activity Jumps Up Significantly

After the season break, the creators of Dridex botnet have pumped up their email campaign activity even more.

Despite the fact that the hackers slowed down on their spam campaigns in the post-Christmas and New Year weeks, during the past days, they have resumed operations which have reached a peak.

Usually, the spam email campaigns targeted the manufacturing, telecommunications, and financial services sectors. The most targeted organizations are in the United States and the United Kingdom.

Since last October, the creators of Dridex have changed the malware’s distribution methods. However, about a week after the law enforcement agencies seized servers to disrupt the activity of Dridex, the security researchers discovered that the botnet was still active. In November, ESET and Trend Micro warned of new Dridex variants which was already achieving high infection rates.

Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. The malware is mostly used by hackers to steal personal and financial details from PC users, and the collected data is usually used in criminal financial operations.

Last month, the researchers reported that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. The new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.

A recent report says that Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. Also, he cyber criminals behind the botnet increased their activity tenfold during the week of Nov. 8, 2015, probably in an attempt to regain control of their lost turf.

The latest spam campaign with Dridex used email messages aims to decieve users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. In a campaign before Christmas, some Christmas-themed invoices from networking company Knowledge Network West were also used.

Among the latest email subjects used by Dridex campaigns are:

  • Reprint Document Archive;
  • UKMail tracking information;
  • Your car rental invoice from Avis;
  • Abcam Despatch;
  • ICM – Invoice #XXXX;
  • Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY;
  • Purchase Order XXX;
  • Request for payment (PGS/XXX);
  • Your receipt from Apple Store;
  • Aline Payment Request, etc.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.