Dridex Botnet Activity Ramps Up After Holidays

Cybercriminals behind the Dridex botnet have ramped up their email campaign activity following a short holiday season break, researchers at FireEye Labs say.

Although the cybercriminals slowed down on their spam campaigns in the post-Christmas and New Year weeks, they have resumed operations and have been building momentum for the past few weeks, FireEye’s Robert Venal explains in a blog post.

These campaigns mostly targeted the manufacturing, telecommunications, and financial services sectors, and organizations in the United States and the United Kingdom were targeted the most, FireEye says. According to researchers, Dridex operators also changed the malware’s distribution methods following the October 2015 takedown attempt.

Less than a week after law enforcement agencies seized servers to disrupt the activity of Dridex, Proofpoint security researchers discovered that the botnet was still active. At the end of November, ESET and Trend Micro also warned of new Dridex variants already achieving high infection rates.

The Dridex malware is a successor of the Cridex Trojan and is suggested to have caused losses totaling $40 million in the United States and the United Kingdom. It is mainly used by cybercriminals to steal personal and financial details from users that is then used in nefarious financial operations.

Earlier this month, IBM X-Force researchers revealed that new Dridex variants borrowed a redirection attack scheme concept from the Dyre Trojan. Basically, the new Dridex variant was found to use DNS poisoning on the local endpoint to redirect the victim to pages controlled by attackers, tricking victims into exposing their usernames, passwords, and even two-factor authentication transaction codes such as tokens, second passwords, replies to secret questions.

According to a recent report from FireEye, following the October takedown attempt, Dridex switched from using malicious Word macros for distribution to using malicious Excel macros and exploit kits. The actors behind the botnet also increased their activity tenfold during the week of Nov. 8, 2015, most probably in an attempt to regain control of their lost turf.

The most recent campaign involving Dridex used spam email messages attempting to trick users by spoofing content from courier and logistics giant UK Mail, rental car service Avis, and petrochemical company Shell. Fake Christmas-themed invoices from networking company Knowledge Network West were also used in a campaign just before Christmas.

Some of the email subjects used by Dridex campaigns recently included Reprint Document Archive, UKMail tracking information, Your car rental invoice from Avis, Abcam Despatch, ICM – Invoice #XXXX, Shell Fuel Card E-bill for Account B500101 DD/MM/YYYY, Purchase Order XXX, Request for payment (PGS/XXX), Your receipt from Apple Store, and Aline Payment Request.