Security Experts:

Connect with us

Hi, what are you looking for?



Dridex Botnet Activity Ramps Up After Holidays

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Although the cybercriminals slowed down on their spam campaigns in the post-Christmas and New Year weeks, they have resumed operations and have been building momentum for the past few weeks, FireEye’s Robert Venal explains in a blog post.

These campaigns mostly targeted the manufacturing, telecommunications, and financial services sectors, and organizations in the United States and the United Kingdom were targeted the most, FireEye says. According to researchers, Dridex operators also changed the malware’s distribution methods following the October 2015 takedown attempt.

Less than a week after law enforcement agencies seized servers to disrupt the activity of Dridex, Proofpoint security researchers discovered that the botnet was still active. At the end of November, ESET and Trend Micro also warned of new Dridex variants already achieving high infection rates.

The Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. It is mainly used by cybercriminals to steal personal and financial details from users that is then used in nefarious financial operations.

Earlier this month, IBM X-Force researchers revealed that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. Basically, the new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.

According to a recent report from FireEye, following the October takedown attempt, Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. The actors behind the botnet also increased their activity tenfold during the week of Nov. 8, 2015, most probably in an attempt to regain control of their lost turf.

The most recent campaign involving Dridex used spam email messages attempting to trick users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. Fake Christmas-themed invoices from networking company Knowledge Network West were also used in a campaign just before Christmas.

Some of the email subjects used by Dridex campaigns recently included Reprint Document Archive, UKMail tracking information, Your car rental invoice from Avis, Abcam Despatch, ICM – Invoice #XXXX, Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY, Purchase Order XXX, Request for payment (PGS/XXX), Your receipt from Apple Store, and Aline Payment Request.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...