Dridex Malware Takes The Piss (Or So It Claims)

Researchers from cybersecurity firm Proofpoint have been tracking a new Dridex malware campaign, which is targeting UK users via invoice emails claiming to be from a portable toilet company.

The Dridex campaign has some unusual features (as well as the millions of messages, which have become the new normal for these very large Dridex campaigns).

Dumps

The campaign combines three different methods for dumping its payload in an attempt to increase its effectiveness.

The final payload is Dridex botnet ID 220 and this campaign is targeting the UK users (with injects for UK, AU and FR banks). While the targeting and botnet are nothing new, the combined vectors are.

The messages sent in this campaign include:

– Both Microsoft Word and Excel attachments with malicious macros

– Document-based exploits that automatically download Dridex when the documents are opened on vulnerable systems (CVE-2015-1641 and possibly CVE-2012-0158)

– Zipped JavaScript attachments disguised as PDF documents. This is a new approach for Dridex, although the JavaScript functions identically to the documents, attempting to download Dridex when executed by user.

Only one vector occurs in each email, so the actors rotated among them throughout the campaign.

A Proofpoint researcher said: “The invoice itself claims to be for portable toilet rental. While some users may immediately discard this as spam – how many of us rent portable toilets regularly? – others may open the documents out of sheer curiosity.”

The key takeaways here are:

– Dridex actors are getting creative in the vectors they use to deliver their payloads and are exploring new means for hiding from antivirus software and other detection measures

– Curiosity can, in fact, kill the cat – It is always worth reminding users not to open unusual or suspect attachments.

Take our hackers and viruses quiz!