14 DAY TRIAL // After a two-month period of lethargic and almost nonexistent campaigns, the group circulating the Dridex banking trojan has ramped up distribution once again, returning with new spam campaigns, mainly targeting Switzerland.
The Dridex gang, as the cyber-crime syndicate behind the Dridex banking trojan is often called, has been relatively quiet since mid-June, about the same time when Necurs, one of the botnets it operates, went down just to resurface after three weeks.
Ever since then, Dridex distribution seems to have ground down to a halt, with only a few thousand emails per spam campaign, which is a laughable number when compared to the millions of messages it was spewing out in May and earlier.
Dridex gang operations are evolving
Looking at the big picture, security researchers from Proofpoint say they've identified a shift in global Dridex gang operations.
Starting with January-February 2016, the Dridex gang started delivering both the Dridex banking trojan and the Locky ransomware via their botnets. Locky numbers started out slow but grew to outpace Dridex distribution.
Most of the spam was easy to distinguish. For many months, and up to August, Locky was delivered via ZIP archives that contained malicious JavaScript files. On the other hand, Dridex was delivered to victims as Office documents with malicious macro scripts contained within.
As Locky spam numbers continued to grow, and after the Necurs botnet downtime, something strange happened. Locky spam started to use macro malware (Office docs with macro scripts) while Dridex spam almost stopped.
Dridex spam now focuses on more valuable targets
Proofpoint claims that, during this downtime, the Dridex gang changed their mode of operation and started sending out smaller Dridex spam campaigns. Instead of blasting emails at random users, it began to target businesses.
The group is now trying to compromise employees and people with access to more valuable information and is using concentrated spam campaigns that deliver the Dridex trojan, which is capable of phishing credentials for all sorts of financial applications.
Proofpoint explains that this particular version of the Dridex trojans targets the backends of payment processing and transfer, Point of Sale (POS), and remote management applications.
Most of these attacks have been focused on Switzerland, a hotspot for financial institutions, showing the group's interest in compromising accounts with access to more funds than your regular mom-and-pop banking accounts.
| Dridex botnet | Countries | Date |
|---|---|---|
| Dridex botnet 38923 | Switzerland | July 7 |
| Dridex botnet 302 | UK | July 12 |
| Dridex botnet 124 | Switzerland | July 15 |
| Dridex botnet 1024 | Switzerland | July 26-27 |
| Dridex botnet 1024 | Switzerland | July 29 |
| Dridex botnet 1024 | Switzerland | August 2-3 |
| Dridex botnet 1024 | Switzerland | August 9 |
| Dridex botnet 1024 | Switzerland | August10 |
| Dridex botnet 144 | Switzerland | August 11 |
| Dridex botnet 228 | UK, AU, FR | August 15-16 |
| Dridex botnet 1124 | Switzerland | August 17 |
Financial institutions in other countries were also targeted, Proofpoint adds, but nine of the eleven Dridex spam campaigns were aimed at Switzerland.
Dridex went through an experimental and testing phase
As the Dridex spam numbers started to rise up once again, it appears that the crooks have now fine-tuned their malware and are ready for a broader distribution that targets other countries as well.
And as another sign that the Dridex crew was playing around with their toys, Proofpoint says it detected the gang using the Neutrino exploit kit to deliver their banking trojan, a technique the group hasn't employed in many campaigns before. Just like in the smaller spam floods, the exploit kit campaign targeted Switzerland, and also the UK.
In the meantime, Locky has been going strong, according to another report from FireEye, who has recently detected a campaign mainly targeting the healthcare sector.
