Two weeks after authorities announced they had taken down the botnet behind the banking malware Dridex, new research suggests the threat is alive and well.
Researchers with security company Invincea announced today that they’ve noticed 60 instances of attackers dropping Dridex on users in France, during the past four days. As part of a newly reinvigorated campaign, attackers are apparently rigging Microsoft Office documents to look like receipts from hotels and stores. When users open the documents, which are being spread through phishing emails, macros communicate back and forth to create malware, PIDARAS.exe, that goes on to communicate with hosts in Japan, via a command and control server.
The scam is using a just-in-time malware assembly scheme to help attackers thwart detection, Invincea warns. The tactic, coined by the firm, is used to describe whenever malware is formed directly on the endpoint itself, and assembled by components from the machine, like Windows utilities—in this case macros—to avoid sandbox analysis.
Perhaps more concerning, the campaign is also using code signed by Comodo certificates to further evade technology that trusts signed executables.
For the time being the campaign appears to only be confined to France, as the document names follow a similar pattern: “facture,” or “bill” in French, then the name of a shop, then a code, but researchers stress the campaign could be adapted for the U.S., and other nations, in time.
“The French campaign may portend the resurgence of a broader campaign that will likely target users in the U.S. and other countries, as Dridex has done previously,” the firm warned in a press release Monday.
The FBI, alongside the Department of Justice, and the UK National Crime Agency, announced earlier this month that it had taken down most of the computing infrastructure that supported Dridex. Officials at Dell SecureWorks helped carry out the takedown when it poisoned a peer to peer network associated with the botnet, and redirected roughly 4,000 bots that were targeting the U.K. and France to a sinkhole, but it appears some networks controlling the malware managed to avoid getting tangled up in the takedown.
Researchers with Palo Alto earlier this month were among of the first to report that the Trojan was back in circulation, targeting users in the U.K. shortly after the calendar turned over to October. In that campaign, similar to the one targeting the French, phishing emails encouraged users to enable macros in able to download the malware.
In the grand scheme of things it seems Dridex was really only gone for a month, Brad Duncan, a handler at SANS Internet Storm Center wrote last Friday on the InfoSec Handlers Diary. In the blog post Duncan pulls together data from VirusTotal that shows users discuss URLs, Excel spreadsheets, and Word documents that appear to be connected to the malware.
Botnet-based malicious spam pushing Dridex dipped off SANS’ radar in September, Duncan claims, but really made a resurgence in October, noting that on VirusTotal there are no submissions tagged “#Dridex” after Sept. 2, but that there are a slew dated after Oct. 1, statistics that coincide with the timing of Palo Alto’s research.