Dridex Botnets are still active and effective

The Dridex Banking Trojan has risen again despite the recent operation conducted by law enforcement on a global scale.

Spam campaign relying on the Dridex malware continues to threaten banking users across the world despite the operations conducted by law enforcement on a global scale. We left Dridex malware spreading across the Europe, in particular targeting the customers of the banks in the UK. In October, the NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

Now Dridex is once again in the headlines, spam emails containing the famous malware are continuing to target netizens despite the arrest of one of its botmasters in August.

A couple of weeks ago the experts at Palo Alto Networks confirmed that the overall volume of Dridex emails peaked nearly 100,000 per day, this new campaign already reached 20,000 emails, mostly targeting emails accounts in the UK.

“After Brian Krebs reported the September arrests of alleged key figures in the cyber crimegang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.” states Palo Alto in a blog post.

The U.S. Department of Justice said on Oct. 13 it was seeking the extradition of the Moldovan Andrey Ghinkul, he is accused of using the Dridex malware to steal US$10 million from U.S. companies and organizations.

Resuming Dridex has risen again, explained Brad Duncan, a security researcher with Rackspace.

“In early September 2015, we started seeing reports about arrests tied to Dridex malware.  About that time, we noticed a lack of botnet-based malicious spam (malspam) pushing Dridex malware.  During the month of September, Dridex disappeared from our radar.  By the beginning of October 2015, malspam pushing Dridex came back, and it’s continued since then.” Duncan wrote in a blog post on the Internet Storm Center. “This morning (Friday 2015-10-23) when I searched VirusTotal for #Dridex, I found more than 80 comments posted by at least a dozen individuals after the 2015-08-28 arrest.  These #Dridex comments covered 28 Word documents, 4 Excel spreadsheets, and 37 Win32 EXE files.  I also found 14 URLs tagged as #Dridex in the comments.”

If you searching more data on the Dridex botnet, give a look to the analysis published by the experts at Dell SecureWorks or the analysis published on the Dynamoo’s Blog and Techhelplist.com.

Stay tuned!

Pierluigi Paganini

(Security Affairs –  Dridex botnets, malware)