Proofpoint researchers have discovered a massive spike representing ‘millions of messages’ delivered by Dridex banking trojans that are targeting Australian organisations.
The Dridex trojan — and others like it — have been preying on victims in order to extract financial information such as banking details, credit card data and other logins. This information is then used to conduct fraudulent activities.
Kevin Epstein, Proofpoint’s VP of the Threat Operations Center, says Dridex is not a new trojan.
“Dridex quickly became one of the most notorious banking Trojans in 2015 when massive email campaigns began delivering the malware to millions of recipients. By the middle of 2016, Dridex was mostly being used in smaller attacks as the threat actors behind it turned to distributing Locky in even larger campaigns. Dridex never went away – the actors using it just changed tactics.”
Proofpoint describes two emails used to hide the trojan: One appearing to be from the Royal Australian Mint and the other from lowcostholidays.
Both emails contain double-zipped VB scripts, double-zipped executables or zipped RAR achives. When executed, the scripts downloaded either the Dridex trojan or “Quant Loader”, which then downloaded Dridex.
Another type contained macros to download the Dridex botnet.
He believes the attackers behind the malware trojans could be picking up steam again, particularly as the Trojan attacks have targeted Australia, the UK and France.
“We haven’t observed any malware campaigns of this size in 2017 – given a number of similarities to previous Locky and Dridex campaigns, it appears that these threat actors’ sending infrastructure is returning to full operation. It remains to be seen what that means for high-volume malware campaigns in the coming months.”
The company says organisations that use business accounts are particularly at risk from Trojans, as there could be millions of dollars worth of losses. Information security managers should be concerned when there’s so much at stake.
“While we have seen the pendulum swing this year towards smaller-scale attacks and campaigns, often with higher degrees of targeting and personalisation, the re-emergence of multi-million message campaigns suggests that organisations may now need to cope with a combination of strong social engineering, a wide range of malware, and high-volume spray-and-pray campaigns,” Epstein says.