The meteoric rise of Locky ransomware this year has not completely supplanted the distribution of the notorious Dridex malware, according to a new report from Proofpoint.
Experts have noted a drop in activity since mid-June when Necurs, one of the botnets operated by the Dridex gang, the bad actors said to be behind the Dridex banking trojan, was shuttered for a short time.
But activity revived by mid-August, when tens of thousands of messages were sent out, the Proofpoint researchers said, primarily targeting financial services and manufacturing organizations in the U.K., Australia, France and the U.S. The emails arrived with Microsoft Word attachments whose macros were infected so that when a victim clicked on the link, Dridex was downloaded. The messages were targeting particularly back-end payment processing and transfer, point-of-sale (POS), and remote management applications.
To prevent companies from becoming a victim of Dridex or other malware that is being distributed via malicious office documents, Swiss CERT recommends the following actions:
• For payments or wire transfer issued via ebanking, make use of collective contracts.
• Use a dedicated computer for ebanking.
• Block the receipt of dangerous email attachments on your email gateway. These include: .js, .jar, .bat, .exe, .cpl, .scr, .com, .pif, .vbs, .psl
• Make sure that such dangerous email attachments are also blocked, if they are sent to recipients in your company in archive files or in encrypted archive files.
• In addition, all email attachments containing macros should be blocked on the email gateway as well.
While, the researchers at the Sunnyvale, Calif.-based security provider detected a slowdown in activity in email message volumes, it appears as though in choosing a new geographic target area, Switzerland, the miscreants behind the malware are shifting their focus to a narrower, but more lucrative target.
Earlier this month, the Proofpoint team detected various Dridex campaigns with Microsoft Word .docm attachments focused on Swiss financial institutions with subject lines and attachments written in German.
“The recent shift to more targeted distribution and a growing set of capabilities suggest that Dridex may be taking on a new life even as the high-volume campaigns shift to distributing almost exclusively Locky and its associated payloads,” the researchers said. “While these large campaigns may have saturated many target countries, Dridex actors are still looking to monetize the malware by targeting a smaller number of large organizations, many in financial services.”
The criminals behind this latest onslaught have weaponized these documents with a malicious macro, according to Swiss Governmental Computer Emergency Response Team. The macro downloads Dridex from a compromised website, should a recipient open the Office document, the CERT explained. “The spam campaigns that are distributing Dridex do not originate from a spam botnet, but rather from compromised email accounts. Therefore the attackers manage to bypass many spam filters and hence ensure that the email gets delivered to the recipient.”
Many of the recent high-profile data breaches were the result of PoS systems being targeted. The incursions into Oracle’s MICROS, HEI Hotels and last week’s breach at Eddie Bauer were all achieved by cyberthieves going after POS systems.
The Proofpoint researchers concluded that the actors behind this continuing campaign are focusing attention on specific targets that can most benefit their efforts, namely back-end payment software. Further, they are using trojans to automatically select these targets and then permitting their clients to choose which malware to download.