Security Experts:

Connect with us

Hi, what are you looking for?



Dridex Botnet Activity Ramps Up After Holidays

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Although the cybercriminals slowed down on their spam campaigns in the post-Christmas and New Year weeks, they have resumed operations and have been building momentum for the past few weeks, FireEye’s Robert Venal explains in a blog post.

These campaigns mostly targeted the manufacturing, telecommunications, and financial services sectors, and organizations in the United States and the United Kingdom were targeted the most, FireEye says. According to researchers, Dridex operators also changed the malware’s distribution methods following the October 2015 takedown attempt.

Less than a week after law enforcement agencies seized servers to disrupt the activity of Dridex, Proofpoint security researchers discovered that the botnet was still active. At the end of November, ESET and Trend Micro also warned of new Dridex variants already achieving high infection rates.

The Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. It is mainly used by cybercriminals to steal personal and financial details from users that is then used in nefarious financial operations.

Earlier this month, IBM X-Force researchers revealed that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. Basically, the new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.

According to a recent report from FireEye, following the October takedown attempt, Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. The actors behind the botnet also increased their activity tenfold during the week of Nov. 8, 2015, most probably in an attempt to regain control of their lost turf.

The most recent campaign involving Dridex used spam email messages attempting to trick users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. Fake Christmas-themed invoices from networking company Knowledge Network West were also used in a campaign just before Christmas.

Some of the email subjects used by Dridex campaigns recently included Reprint Document Archive, UKMail tracking information, Your car rental invoice from Avis, Abcam Despatch, ICM – Invoice #XXXX, Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY, Purchase Order XXX, Request for payment (PGS/XXX), Your receipt from Apple Store, and Aline Payment Request.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.