Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dridex Botnet Activity Ramps Up After Holidays

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Although the cybercriminals slowed down on their spam campaigns in the post-Christmas and New Year weeks, they have resumed operations and have been building momentum for the past few weeks, FireEye’s Robert Venal explains in a blog post.

These campaigns mostly targeted the manufacturing, telecommunications, and financial services sectors, and organizations in the United States and the United Kingdom were targeted the most, FireEye says. According to researchers, Dridex operators also changed the malware’s distribution methods following the October 2015 takedown attempt.

Less than a week after law enforcement agencies seized servers to disrupt the activity of Dridex, Proofpoint security researchers discovered that the botnet was still active. At the end of November, ESET and Trend Micro also warned of new Dridex variants already achieving high infection rates.

The Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. It is mainly used by cybercriminals to steal personal and financial details from users that is then used in nefarious financial operations.

Earlier this month, IBM X-Force researchers revealed that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. Basically, the new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.

According to a recent report from FireEye, following the October takedown attempt, Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. The actors behind the botnet also increased their activity tenfold during the week of Nov. 8, 2015, most probably in an attempt to regain control of their lost turf.

The most recent campaign involving Dridex used spam email messages attempting to trick users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. Fake Christmas-themed invoices from networking company Knowledge Network West were also used in a campaign just before Christmas.

Advertisement. Scroll to continue reading.

Some of the email subjects used by Dridex campaigns recently included Reprint Document Archive, UKMail tracking information, Your car rental invoice from Avis, Abcam Despatch, ICM – Invoice #XXXX, Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY, Purchase Order XXX, Request for payment (PGS/XXX), Your receipt from Apple Store, and Aline Payment Request.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.