Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Dridex Trojan Returns From Summer Vacation

Dridex, one of the most prolific Trojans in recent years, is ramping up its activity once again, after coming to a near stop about two months ago, Proofpoint security researchers reveal.

Dridex, one of the most prolific Trojans in recent years, is ramping up its activity once again, after coming to a near stop about two months ago, Proofpoint security researchers reveal.

Earlier this year, the actors behind Dridex started distributing the Locky ransomware. Since June, the Dridex distribution has been very low, at only thousands of messages, although Locky campaigns have been running strong. Most recently, however, researchers observed a spike in Dridex distribution, which would suggest that the Trojan might be getting ready for new massive campaigns.

Compared to the previously seen runs, which amounted to millions of messages, the new infection campaigns are much smaller, at only tens of thousands of messages, Proofpoint reports. The spike in distribution was observed in the beginning of this week and was focused on targeting financial services and manufacturing organizations.

The security company reveals that most of the campaigns observed since June have been targeting Switzerland, and that multiple botnet IDs were associated with such attacks, including Dridex botnet 1124, 144, 1024, 124, and 38923. The United Kingdom, Australia, and France were also targeted in the meantime.

One of the latest campaigns was observed on Aug. 15 and 16 and involved Dridex botnet ID 228, featuring a larger than average message volume. The botnet contained configurations for banking sites in the UK, Australia, France, and the United States, while the email messages used in the run contained Word attachments (DOCM files) with malicious macros.

The use of DOCM files containing malicious macros was associated with recent Locky infection campaigns as well. After using various other methods for distribution over the past several months, Locky recently reverted to using macros again.

Proofpoint researchers reveal that the instance of Dridex observed in this campaign was targeting various back-end payment processing and transfer, Point of Sale (POS), and remote management applications. Dridex was previously seen targeting applications, but its target list has expanded significantly in August, researchers reveal.

A Dridex campaign noticed on August 11, also relying on DOCM attachments for distribution, was downloading and installing botnet ID 144 and was targeting banking sites, including several in Switzerland. Messages and attachments used in this campaign were in German, one of the primary languages used in Switzerland.

Advertisement. Scroll to continue reading.

In mid-July, researchers observed a Dridex campaign that downloaded and installed botnet ID 124. Also relying on malicious Word documents, this campaign too was using subject lines, attachment names, and messages in German, the same as an attack in June that distributed Dridex botnet ID 38923 (which was targeted at numerous banking sites, including some in Switzerland).

In addition to the use of malicious emails, Dridex operators also rely on exploit kits (EKs) for distribution, Proofpoint researchers say. On August 9, Neutrino, currently the most used EK, was observed dropping Dridex botnet ID 1024 in Switzerland and the United Kingdom.

“The recent shift to more targeted distribution and a growing set of capabilities suggest that Dridex may be taking on a new life even as the high-volume campaigns shift to distributing almost exclusively Locky and its associated payloads. While these large campaigns may have saturated many target countries, Dridex actors are still looking to monetize the malware by targeting a smaller number of large organizations, many in financial services,” Proofpoint says.

Related: C&C Flaw Offers Glimpse into Dridex Operations

Related: Massive Spam Campaign Spreads Panda Banker Trojan

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.