Spam arrives with zip or Word doc attachments.
Spam arrives with zip or Word doc attachments.

Largely unseen in major email campaigns for nearly a year, the Dridex banking trojan has raised its ugly head once again, according to a new report from Proofpoint.

With bad actors migrating to using the Locky ransomware for malicious campaigns, some lower-volume assaults still retained use of Dridex during 2016. However, that activity slowed in 2017, with most analysts agreeing that the taking down of the Necurs botnet contributed to the slowdown in the mass dissemination of both Locky and Dridex.

But, researchers at Proofpoint are now reporting their detection of two large-scale Dridex campaigns, which they've dubbed Dridex botnet ID 7200. The majority of the spam comes with double-zipped archive attachments.

Looking like previous Locky campaigns, the mass mailings are going out using similar distribution methods leading the researchers to believe that those behind the activity are ramping up their use of the same sending infrastructure as used previously.

The researchers first spotted a spurt in Dridex activity at the end of March. Compared to previous time-frames, the increased activity registered as a comeback in high volume, yet is a small portion of what once was previously seen.

On March 20, the Proofpoint investigators observed the reawakened Dridex activity with botnet ID 7200 being disseminated via Zip- or RAR-compressed VBS and EXE attachments. If executed, the scripts delivered an iteration of the Dridex banking trojan with botnet ID "7200." The activity was mainly taking place in France, the U.K., and Australia.

On March 31, the team again detected a Dridex botnet ID 7200 campaign being distributed via Zip-compressed executables. The subject line in these emails read: "Payment Request," and included a zip attachment posing as an invoice, but which, if clicked, would deliver an executable which downloaded the Dridex banking trojan with botnet ID 7200. Other messages arrived with MS Word doc attachments that used a macro to download Dridex botnet 7500. Buried inside the first zip file was another zip file, this one containing a Dridex botnet 7500 executable.

The researchers noted that the present campaign bears similarities to the 2016 mass volume Locky affiliate ID 3 campaign. Notably, the lures employed by the attackers in the emails use similar strategies.

The return of Dridex leads the researchers to ponder what types of attacks will be forthcoming in the next few months. Large-scale malware attacks are likely, they surmise. While admitting that this resurgence in no way equals the mass activity seen in the first half of 2016, the campaign is notable, they said, because it's a stark contrast to what was experienced in the first quarter of 2017. 

The researchers also were concerned about the different attachments used in the campaign and the similarities to techniques used in previous Locky and Dridex scourges over the past two years.