Pierluigi Paganini October 02, 2015

The Dridex Banking Malware is risen, security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign.

Once against the Dridex banking Trojan is in the headlines, this week security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign.

The phishing campaign is targeting victims mainly in the UK, the malicious messages include a Microsoft Word document that entices users to enable macros. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

The phishing messages refer business or retail order and ask for payment, the malicious attachments pretend to be an invoice, but the victim is presented with a dialog box that asks them to enable macros in order to correctly view the document.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft have seen a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

In April 2015 security experts across the world detected sample of the “Dridex” banking Trojan and “TorrentLocker” ransomware, which is being spread through macros.

The security researchers confirmed that the overall volume of Dridex emails peaked nearly 100,000 per day, this new campaign already reached 20,000 emails, mostly targeting emails accounts in the UK.

“After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.” states Palo Alto in a blog post.

Dridex malware had been quiet for a short period, likely due to law enforcement activities, but recent events demonstrate a resurgence of the Dridex threat. Early September law enforcement identified and arrested in Cyprus a 30-year-old Moldovan man allegedly behind the Dridex campaigns.

“Between the end of August and now, we had seen no Dridex activity at all,” Palo Alto intelligence director Ryan Olson said. “We attribute that to the arrest. We assumed there was some organizational shakeup and people were regrouping. It popped up again this morning with some volume.”

The macros used in this phishing campaign allow the download of the malware from one of the URLs in a list published by Palo Alto. The blog post of the company includes this list, the indicators of compromise and, of course, the list of Command and Control Centers.

Unfortunately the events demonstrate the efficiency of the criminal ecosystem that were able to react to the action of Law Enforcement, despite continuous arrests made by the authorities, new criminal groups are always waiting in the wing to gain the control of profitable activities in the criminal underground.

Pierluigi Paganini

(Security Affairs –  Dridex, malware)