The infamous Dridex banking Trojan recently surfaced again in spam campaign runs that have managed to achieve a high infection rate, security companies ESET and Trend Micro warn.
The Dridex malware, a successor of the Trojan known as Cridex, Feodo and Bugat, has been around since last year, often spread through infected Word and Excel documents sent as attachments to spam emails, which prompt users to enable macros to view access their contents.
This technique has been used to spread Dridex in the past (and other malware as well), and it appears that the cybercriminals behind the malware continue to rely on it, targeting both end-users and financial institutions with their spam emails. Once a user executes the infected file, Dridex infects the system with a botnet controlled by the attackers, who can steal personal and financial information.
ESET researchers report that a new Dridex campaign targeting users in European countries such as Spain and Slovakia, and that people in South Africa are also targeted. Trend Micro, on the other hand, says that new campaigns are infecting users worldwide, with the largest number of victims observed in the United States (23.47 percent), United Kingdom (14.39 percent), France (14.26 percent), and Australia (13.91 percent).
Following a massive effort from law enforcement authorities in the United States and Europe in the past months, the Dridex botnet was supposedly disrupted in mid-October when servers used in the network were seized. In August, authorities arrested Andrey Ghinkul, who was identified as one of the Dridex botnet administrators.
However, since the Dridex network was created as a hybrid between a centralized and a decentralized network, partitioned into multiple sub-botnets and uses a peer-to-peer (P2P) network for communications, the Trojan reappeared only days after being supposedly taken down. Two Dridex campaigns were spotted a couple of days after the takedown, aimed at users in France and the United Kingdom.
New discoveries made by ESET and Trend Micro suggest that the cybercriminals behind the Dridex botnet only needed a few weeks to test the stability of the network and to reinitiate their infection operations. While the new campaigns appear to lack the strength of the previous Dridex infections, they are expected to grow through additional spam campaign runs.
According to ESET, the attackers behind Dridex were very active in September and October, and cont continued to be so in November as well, with one new malware variant observed to be peaking on November 13 and November 16. Trend Micro says that 10 new malware variants have been observed since November 13, when a new infection campaign has started.
The observed campaigns include one similarity, namely the fact that spam emails are sent in English. While it would not make sense for a user in Spain, France, or Germany to open an email in English, chances are that they will, regardless of what it contains or where it came from, out of pure curiosity. The attackers appear to rely on this behavior to ensure the success of their campaign.
According to Trend Micro, the new spam campaign run has the same ID or segment used to spread Dridex since last year, meaning that the botnet was not totally taken down last month. Furthermore, the security firm notes that the new malware variants use complex coding techniques of obfuscation and indirect calls similar to those in variants spotted in the past.
One thing that is not clear as of now is whether the new Dridex strings contain code related to sending emails. Should they include the capability, it would reveal that the actors behind the botnet are trying to bring the entire infection chain for Dridex full circle. This could result in more, wider spread spam campaigns to spread the infection.
The new findings are in line with what Kevin Epstein, VP of Threat Operations at Proofpoint, told SecurityWeek last month, only a few days after authorities announced that Dridex was taken down. He suggested that the email distribution botnet, other C&C networks, and the Dridex malware itself might not have been impacted by the mid-October takedown.
“Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it,” Epstein said.
The Dridex malware is estimated to have caused financial losses of around $40 million in the United States and the United Kingdom alone (namely $10 million in the U.S. and $30 million in the U.K.). As the masterminds behind the malware appear to be regrouping and restarting their criminal activity, users are advised to take extra caution when opening emails and to disable the option to run macros in Word and Excel, unless they do require them for their work.