The threat actor behind the infamous Dridex and Locky malware families has updated tactics and expanded its target list in recent campaigns, Trend Micro reports.
In late 2019, the actor began employing remote access Trojans (RATs) such as FlawedAmmyy and ServHelper in its attacks, and the trend continues. However, the hacking group has started using .ISO image attachments for infection, a .NET downloader, a new style for macro delivery, and updated versions of said RATs.
The first attacks to employ .ISO file attachments were observed in the middle of July, targeting Turkish and Serbian banks. The attack used command line msiexec to execute an MSI file that contains and runs an executable that installs ServHelper. Another attack employed an Excel document malicious macros to directly download the executable that installs ServHelper.
One attack used an updated version of ServHelper that included the strings’ binary encrypted in Vigenère cipher. Some samples still had errors in the cipher routine, Trend Micro says.