Dridex Spam Bursts Reveal New Threat Tactics
The infamous banking trojan Dridex sputtered back to life at the end of May after a quiet month with new capabilities designed to trick users into opening a malicious attachment and bypass security filters.
The trojan was unusually inactive during most of last month, before reappearing in a new wave of spam emails, according to Trend Micro researchers Michael Casayuran, Rhena Inocencio, and Jay Yaneza.
These emails show the threat actors behind the campaign have changed tactics slightly, using a different kind of social engineering designed to trick users into opening the malicious attachment.
The subject line of the spam bears the message “account compromised” while the main body of the email contains details of a supposed suspicious logon attempt, including an IP address to make it look legitimate.
The attachment supposedly has the full report of this spoofed incident, Trend Micro said.
“The spammed message is almost believable except for that one missing crucial detail. It doesn’t have any information on what type of account (email, bank, social media accounts etc.) is compromised,” it added in a blog post.
“Based on our research, the spam runs of Dridex have semblances with Locky ransomware with its use of macros and identical email templates.”
Another new feature is the use of Certutil and Personal Information Exchange (.PFX) files – the latter typically used by software certificates to store public and private keys.
“When you open the .ZIP file attachment and the word document, a .PFX file is dropped. However, this won’t necessarily run on your system because it’s encrypted,” Trend Micro explained. “This is where Certutil comes in, decoding a base64-text file to convert the .PFX file to .EXE file. When the .PFX file is finally converted into an executable file, DRIDEX infects your system.”
The reason why the Dridex authors have gone to this extra effort is that .PFX and Certutil apparently help to pass off the malicious file as a legitimate certificate.
Trend Micro urged users to mitigate the risk of Dridex infection by not opening attachments or enabling macros when receiving unsolicited emails.
“On the other hand, enterprises can create policies that will block off email messages with attachments from unknown sources,” the vendor concluded.
“It also recommended that they educate their employees about this type of security threat and what to do when they encounter one.”
Source: Information Security Magazine