Just one month after U.S. and U.K. law enforcement helped take down Dridex, Trend Micro is reporting the botnet is bouncing back.
The research firm said that while the take down of the servers housing the botnet in October was a positive step there was always a very good chance Dridex would make a come back. The majority of the Dridex victims since October 13, when the servers were taken off line, have been in the United States, 23.5 percent; the U.K., 14.3 percent; and France with 14.3 percent. The remaining victims are spread across Europe and Asia.
“Unless all infrastructure are destroyed and all threat actors are caught, threats like DRIDEX are bound to resurface,” Ryan Flores, Trend Micro's Threat Research Manager, wrote in a blog post, adding “While it will take time for DRIDEX to regain its former strength, these new spam run indicate that the masterminds behind DRIDEX have regrouped and restarted their criminal activity. Users who thought DRIDEX was no longer a problem will have to think again.”
The latest attacks are using Dridex-related spam runs with email subject lines focusing on financial issues like invoices, unpaid bills or current credit balance. Dridex is primarily banking malware the leverages macros in Microsoft Office to infect systems, noted Forrest Stroud of Webopedia.
Flores pointed out the new variants are using the same coding techniques as in the past, separating the botnet into segments using a numeric coding system, to hide the attack.
“Both Excel and Word documents are being used in these spam runs. When opened, these Office files contain a macro which, in turn, downloads the malicious DRIDEX file,” Flores said.
Because social engineering tricks are used to gain entry into a network, the best defense is not opening suspected emails and also to disable unneeded macros.