After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today. Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.
True to form, the Dridex crew continues to utilize Microsoft Word Doc files with embedded macros, just as they did at the start of 2015. The Bartalex kit, a favorite for various cybercriminals, constructs these macros to deliver their malicious payload. When a user opens the malicious document, the macro code reaches out to a URL and downloads the Dridex executable. We identified the following associated Microsoft Word Doc files and URLs from today’s campaign:
The 1111.exe payload for each of these DOC files corresponds to the following file:
As of today, only 17 out of the 56 VirusTotal Anti-Virus (AV) scanners recognize the Doc files associated with this resurgence as malicious, and only two recognize the associated implant. The Palo Alto Networks AutoFocus platform correctly identifies all components of this threat under the Unit 42 Dridex tag.
Targeting and Delivery
Our analysis revealed that this return of Dridex is heavily targeted at the United Kingdom (UK).
AutoFocus map of today’s Dridex targets
Dynamoo’s Blog (Conrad Longmore) posted an example of one of this latest series of Dridex phishing messages. The malicious Doc files that we identified all employ a similar order theme in their naming convention (e.g., “Order-SO00653333-1.doc”), requesting that the recipient print out the attachment. While this phishing lure is not particularly sophisticated, it remains surprisingly effective for fulfilling the malicious actor’s objective.
Cybercriminals – especially those that have established prosperity and longevity – will continue to present threats to enterprises and home users alike, despite any setbacks as a result of arrests or other operational challenges. Even though key players in the Dridex crew may have been removed from the equation for the time being, the organization that they leave behind could very well remain viable; alternatively, other criminal groups are always waiting in the wing to assume control of certain endeavors should a vacuum or opportunity present itself. The October 2015 resurgence of Dridex is an example of how these threats continue to adapt and evolve.