Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The Dridex Banking Malware is risen, British attention

The Dridex Banking Malware is risen, security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign. Once against the Dridex banking Trojan is in the headlines, this week security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign. The phishing campaign is targeting victims mainly in the UK, the malicious messages […]

The Dridex Banking Malware is risen, British attention

The Dridex Banking Malware is risen, security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign.

Once against the Dridex banking Trojan is in the headlines, this week security experts at Palo Alto intelligence discovered a still ongoing large phishing campaign.

The phishing campaign is targeting victims mainly in the UK, the malicious messages include a Microsoft Word document that entices users to enable macros. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

dridex map

The phishing messages refer business or retail order and ask for payment, the malicious attachments pretend to be an invoice, but the victim is presented with a dialog box that asks them to enable macros in order to correctly view the document.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft have seen a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

In April 2015 security experts across the world detected sample of the “Dridex” banking Trojan and “TorrentLocker” ransomware, which is being spread through macros.

The security researchers confirmed that the overall volume of Dridex emails peaked nearly 100,000 per day, this new campaign already reached 20,000 emails, mostly targeting emails accounts in the UK.

“After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.” states Palo Alto in a blog post.

Dridex malware had been quiet for a short period, likely due to law enforcement activities, but recent events demonstrate a resurgence of the Dridex threat. Early September law enforcement identified and arrested in Cyprus a 30-year-old Moldovan man allegedly behind the Dridex campaigns.

“Between the end of August and now, we had seen no Dridex activity at all,” Palo Alto intelligence director Ryan Olson said. “We attribute that to the arrest. We assumed there was some organizational shakeup and people were regrouping. It popped up again this morning with some volume.”

The macros used in this phishing campaign allow the download of the malware from one of the URLs in a list published by Palo Alto. The blog post of the company includes this list, the indicators of compromise and, of course, the list of Command and Control Centers.

Unfortunately the events demonstrate the efficiency of the criminal ecosystem that were able to react to the action of Law Enforcement, despite continuous arrests made by the authorities, new criminal groups are always waiting in the wing to gain the control of profitable activities in the criminal underground.

Pierluigi Paganini

(Security Affairs –  Dridex, malware)