Security News Dridex Returns with New Spam Campaign After Two-Month Hiatus

[Exterminator]

After a two-month period of lethargic and almost nonexistent campaigns, the group circulating the Dridex banking trojan has ramped up distribution once again, returning with new spam campaigns, mainly targeting Switzerland.

The Dridex gang, as the cyber-crime syndicate behind the Dridex banking trojan is often called, has been relatively quiet since mid-June, about the same time when Necurs, one of the botnets it operates, has gone down and resurfaced after three weeks.

Ever since then, Dridex distribution seems to have ground down to a halt, with only a few thousands of emails per spam campaign, which is a laughable number when compared to the millions of messages it was spewing out in May and earlier.

Dridex gang operations are evolving
Looking at the big picture, security researchers from Proofpoint say they've identified a shift in global Dridex gang operations.

Starting with January-February 2016, the Dridex gang started delivering both the Dridex banking trojan and the Locky ransomware via their botnets. Locky numbers started out slow but grew to outpace Dridex distribution.

Most of the spam was easy to distinguish. For many months, and up to August, Locky was delivered via ZIP archives that contained malicious JavaScript files. On the other hand, Dridex was delivered to victims as Office documents with malicious macro scripts contained within.

As Locky spam numbers continued to grow, and after the Necurs botnet downtime, something strange happened. Locky spam started to use macro malware (Office docs with macro scripts), while Dridex spam almost stopped.

Dridex spam now focuses on more valuable targets
Proofpoint claims that during this downtime, the Dridex gang changed their mode of operation, and started sending out smaller Dridex spam campaigns. Instead of blasting emails at random users, it started targeting businesses.

The group is now trying to compromise employees and people with access to more valuable information and is using concentrated spam campaigns that deliver the Dridex trojan, which is capable of phishing credentials for all sorts of financial applications.

Proofpoint says that this particular version of the Dridex trojans targets the backends of payment processing and transfer, Point of Sale (POS), and remote management applications.

Most of these attacks have been focused on Switzerland, a hotspot for financial institutions, showing the group's interest in compromising accounts with access to more funds than your regular mom and pop banking accounts.

Dridex botnet Countries Date
Recent Dridex spam floods
Dridex botnet 38923 Switzerland July 7
Dridex botnet 302 UK July 12
Dridex botnet 124 Switzerland July 15
Dridex botnet 1024 Switzerland July 26-27
Dridex botnet 1024 Switzerland July 29
Dridex botnet 1024 Switzerland August 2-3
Dridex botnet 1024 Switzerland August 9
Dridex botnet 1024 Switzerland August10
Dridex botnet 144 Switzerland August 11
Dridex botnet 228 UK, AU, FR August 15-16
Dridex botnet 1124 Switzerland August 17
Financial institutions in other countries were also targeted, Proofpoint says, but nine of the eleven Dridex spam campaigns targeted Switzerland.

Dridex went through an experimental and testing phase
As the Dridex spam numbers started to rise up once again, it appears that the crooks have now fine-tuned their malware and are ready for a broader distribution that targets other countries as well.

And as another sign that the Dridex crew was playing around with their toys, Proofpoint says it detected the gang using the Neutrino exploit kit to deliver their banking trojan, a technique the group hasn't used in many campaigns before. Just like in the smaller spam floods, the exploit kit campaign targeted Switzerland, and also the UK.

In the meantime, Locky has been going strong, according to another report from FireEye, who recently detected a campaign mainly targeting the healthcare sector.