A new and more dangerous version of the Dridex banking malware is being used in a new campaign targeting financial institutions, primarily in the United States.
After having apparently lost its status as a favored attack vector, Dridex has popped back onto the mainstage, Trend Micro researchers Michael Casayuran, Rhena Inocencio and Jay Yaneza wrote in a recent report. A spike in Dridex spam emails was spotted in May, but this new iteration eschewed the old tactic of using fake invoices or notifications to scam the victim and instead attempted to scare the recipients into opening the email and clicking on the infected attachment.
“The email message bears the subject heading Account Compromised and contains details of the supposedly logon attempt, including the IP address to make it look legitimate. The spammed message is almost believable except for one missing crucial detail: It doesn’t have any information on what type of account (email, bank, social media accounts etc.) is compromised,” the researchers wrote.
The majority of the attacks (59.7 percent) spotted thus far were against U.S.-based targets with those in Brazil and China a distant second and third, Trend Micro reported.
Another major alteration is that Dridex is now paired with the command-line program Certuli, which allows the malware to pass itself off as a legitimate certificate.
“As such, this poses challenges in detecting and mitigating DRIDEX,” Trend Micro said. “Prior to this new wave, the use of macros enables the threat to bypass sandbox technologies. This clearly indicates that DRIDEX is leveling up its ante to remain a prevalent online banking threat.”
All of the changes added together have helped make Dridex once again a formidable opponent as a banking threat.
Being that the new Dridex has just hit the web Trend Micro is still unsure whether it is more effective than the previous incarnation.
Christopher Budd, global threat communications manager, told SCMagazine.com in an email, “It’s a new tactic and it will work with some people more than others. In reality, the only ones that can answer that question exactly are the attackers.”