The Dridex financial trojan, that has emerged as one of the most dangerous and active Trojans, raises its activity once again after a short two-month period of disappearance, Proofpoint security researchers reported on Thursday.
For the last two months the Dridex trojan had been delivered to victims only by a very small number of email campaigns – up to a thousand messages on the daily basis. However, security experts currently observe a surge in Trojan‘s activity suggesting the preparation for new massive spam campaigns. The peak activity was observed at the start of last week, and the spam attacks were aimed at financial companies.
Most spam campaigns were mainly aimed at Switzerland companies. These attacks have been made using the Dridex botnets #1124, #144, #1024, #124 and #38923. Australia, United Kingdom and France were also among the attackers’ goals. One of the last e-mail campaigns was made on August 16 using Dridex botnet #228 containing botnet configuration for the U.K., Australia, France and the U.S. banking websites. Spam messages are massively sent via e-mail and contain attached Word – DOCM files with malicious macros.
Current Dridex instance is focused on a wide range of server-side payments processing and transmission systems, point of sale (POS) software and remote management systems. The Dridex spam campaign seen on August 11 also used DOCM-attachments that lead to further botnet #144 infiltration. Spam messages were written in German language – one of the major languages in Switzerland – and were aimed at the Swiss banking websites.
“The infiltration burst we’ve seen recently, as well as growing abilities of this malware can bring the Dridex a new life. The spammers are trying to monetize their activities by attacking financial services industry“, Proofpoint researchers said.