Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.
Although the cybercriminals slowed down on their spam campaigns in the post-Christmas and New Year weeks, they have resumed operations and have been building momentum for the past few weeks, FireEye’s Robert Venal explains in a blog post.
These campaigns mostly targeted the manufacturing, telecommunications, and financial services sectors, and organizations in the United States and the United Kingdom were targeted the most, FireEye says. According to researchers, Dridex operators also changed the malware’s distribution methods following the October 2015 takedown attempt.
Less than a week after law enforcement agencies seized servers to disrupt the activity of Dridex, Proofpoint security researchers discovered that the botnet was still active. At the end of November, ESET and Trend Micro also warned of new Dridex variants already achieving high infection rates.
The Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. It is mainly used by cybercriminals to steal personal and financial details from users that is then used in nefarious financial operations.
Earlier this month, IBM X-Force researchers revealed that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. Basically, the new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.
According to a recent report from FireEye, following the October takedown attempt, Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. The actors behind the botnet also increased their activity tenfold during the week of Nov. 8, 2015, most probably in an attempt to regain control of their lost turf.
The most recent campaign involving Dridex used spam email messages attempting to trick users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. Fake Christmas-themed invoices from networking company Knowledge Network West were also used in a campaign just before Christmas.
Some of the email subjects used by Dridex campaigns recently included Reprint Document Archive, UKMail tracking information, Your car rental invoice from Avis, Abcam Despatch, ICM – Invoice #XXXX, Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY, Purchase Order XXX, Request for payment (PGS/XXX), Your receipt from Apple Store, and Aline Payment Request.
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
