Trend Micro detailed the malware variant and attackers' delivery techniques.
Trend Micro detailed the malware variant and attackers' delivery techniques.

The proliferation of the Bugat trojan, also known as “Cridex,” put the threat among the top banking botnets last year – and now researchers warn that its so-called successor, “Dridex,” is targeting users via social engineering schemes.

In a new campaign detailed by Trend Micro, fraudsters are using Dridex to prey on bank customers primarily located in Australia, the UK and U.S. But instead of relying on the BlackHole exploit kit, as was the delivery mechanism of choice for Cridex, scammers spread Dridex by way of Microsoft Word documents containing malicious macro code.

In the attacks, cybercriminals crafted phishing emails so that they appeared to contain invoices from legitimate financial institutions, Trend Micro said.

In a Wednesday blog post, Rhena Inocencio, threat response engineer at Trend Micro, explained how attackers work around instances where the macro feature is disabled on users' systems. 

“Should the user open the document, they might see a blank document,” Inocencio wrote. “We have seen other attachments stating that the content will not be visible unless the macro feature is enabled…Once this feature is enabled, the macro downloads Dridex malware, specifically TSPY_DRIDEX.WQJ, onto the computer.”

Once installed, Dridex monitors users' online banking activity to collect sensitive data via form grabbing, HTML injections (a new trick the malware picked up in its latest form) and screenshots, Inocencio said.

Most of the targeted banks – which include Bank of Scotland, Lloyds Bank, Barclays and Santander – are in Europe. But Tom Kellermann, Trend Micro's chief cybersecurity officer, told SCMagazine.com in an interview that most of the victims are located in Australia (nearly 20 percent) because “Australians often use British banks for financial transactions, especially high net worth Australians.”

In a chart, the firm also revealed that around 15 percent of users affected by Dridex were in the UK, and about 14 percent were in the U.S. The phishing emails containing the malware originated from numerous countries, with the top “spam sending” location being Vietnam.

Earlier this year, advanced threat detection firm Seculert noted that Bugat, or Cridex, was using a worm component to quicken its spread on users' machines. The “self-spreading infection method,” as Seculert CTO Aviv Raff put it, allowed attackers wielding Cridex to log into simple mail transfer protocol (SMTP) servers using stolen credentials, and keep the malicious cycle going by sending out more Bugat-laden emails, he said.