The Dridex Trojan used to steal millions from UK banks has reportedly bounced back from a joint UK operation with the US to dismantle the criminal botnet supporting it.
In October 2015, the UK’s National Crime Agency set up a sinkhole for Dridex malware to stop infected computers – known as a botnets – from communicating with the cyber criminals controlling them in conjunction with a US sinkhole operated by the FBI.
Dridex malware – also known as Bugat and Cridex – is believed to have been developed by technically skilled cyber criminals in eastern Europe to harvest online banking details. The hackers exploit the data to steal money from individuals and businesses around the world.
Global financial institutions and a variety of different payment systems have been particularly targeted, with UK losses estimated at £20m.
In October, NCA said its National Cyber Crime Unit (NCCU) had rendered a large portion of the botnets harmless – but just a month later Dridex is steadily regaining its footing in the US, according to Ryan Flores, threat research manager at security firm Trend Micro.
“Taking down servers is a significant step in crippling botnets, but unless all infrastructure is destroyed and all threat actors are caught, threats like Dridex are bound to resurface,” he wrote in a blog post.
Computers typically become infected with Dridex malware when users receive and open documents in seemingly legitimate emails.
According to Flores, since 13 November 2015 researchers have seen multiple Dridex-related spam runs, most of which use social engineering lures that involve financial matters such as an invoice, an unpaid bill, a financial statement, current credit balance or receipt.
The top targets of the spam campaigns have been the US (23%), UK (14%), France (14%) and Australia (13%).
The Dridex spam campaigns are being run by Dridex botnets that date back to August 2014. Flores said this shows the operation by the NCA and FBI did not take down the whole botnet.
Analysis of ten new variants found by researchers since October shows they are using the same complex coding techniques of obfuscation and indirect calls as past variants, to make analysis more difficult.
The campaigns use Excel and Word documents containing malicious macros in these spam campaigns, and all that is required to infect a computer is for the booby-trapped file to be opened. No vulnerability is needed, said Flores.
In the UK, e-commerce software company PCA Predict (formerly Postcode Anywhere) recently reported that it had been the target of a Dridex spoofing campaign. This resulted in hundreds of thousands of spam emails being sent out to the public that appeared to come from PCA Predict.
The company responded to the spoofing campaign by changing the image that was being hotlinked in the spam emails to say “this is Spam”, to warn unsuspecting recipients.
Macro malware is a long-standing threat that has seen some revival in recent years to distribute threats like ransomware, and has been used to spread Dridex in the past.
According to Flores, Dridex will take some time to regain its former strength, but these new spam campaigns indicate the criminals behind Dridex have regrouped and restarted operations.
Users are advised to disable the ability to run macros in Excel and Word if they are not needed, and should guard against clicking “OK” on any dialogue boxes requesting to enable macros.
Users should confirm the identity or source of an email and verify that attachment file extensions reflect the actual file type. Businesses should modify security policies to disable the use of macros; educate users to disable or implement macro security in Microsoft Office applications; and consider implementing systems to detect malware in phishing and spam campaigns.