Fresh Dridex banking Trojan campaigns target the US, UK and France – despite a recent law enforcement takedown operation – warn security researchers
The Dridex Trojan used to steal millions from UK banks has reportedly bounced back from a joint UK operation with the US to dismantle the criminal botnet supporting it.

In October 2015, the UK’s National Crime Agency set up a sinkhole for Dridex malware to stop infected computers – known as a botnets – from communicating with the cyber criminals controlling them in conjunction with a US sinkhole operated by the FBI.

Dridex malware – also known as Bugat and Cridex – is believed to have been developed by technically skilled cyber criminals in eastern Europe to harvest online banking details. The hackers exploit the data to steal money from individuals and businesses around the world.

Global financial institutions and a variety of different payment systems have been particularly targeted, with UK losses estimated at £20m.

In October, NCA said its National Cyber Crime Unit (NCCU) had rendered a large portion of the botnets harmless – but just a month later Dridex is steadily regaining its footing in the US, according to Ryan Flores, threat research manager at security firm Trend Micro.

“Taking down servers is a significant step in crippling botnets, but unless all infrastructure is destroyed and all threat actors are caught, threats like Dridex are bound to resurface,” he wrote in a blog post.

Computers typically become infected with Dridex malware when users receive and open documents in seemingly legitimate emails.

According to Flores, since 13 November 2015 researchers have seen multiple Dridex-related spam runs, most of which use social engineering lures that involve financial matters such as an invoice, an unpaid bill, a financial statement, current credit balance or receipt.

The top targets of the spam campaigns have been the US (23%), UK (14%), France (14%) and Australia (13%).

Malicious macros

The Dridex spam campaigns are being run by Dridex botnets that date back to August 2014. Flores said this shows the operation by the NCA and FBI did not take down the whole botnet.

Analysis of ten new variants found by researchers since October shows they are using the same complex coding techniques of obfuscation and indirect calls as past variants, to make analysis more difficult.

The campaigns use Excel and Word documents containing malicious macros in these spam campaigns, and all that is required to infect a computer is for the booby-trapped file to be opened. No vulnerability is needed, said Flores.

Users are advised to disable the ability to run macros in Excel and Word if they are not needed, and should guard against clicking "OK" on any dialogue boxes requesting to enable macros.