The noxious banking Trojan Dridex, is back after almost two months of near dormancy, with a new spam campaign, focusing on more high value targets. Security researchers have uncovered that recent Dridex campaigns are intensifying their geographical focus that includes targets in Switzerland.
According cybersecurity firm ProofPoint, the recent drop in Dridex's activities indicates that the cybercriminals' behind the banking Trojan have made key changes in their modus operandi. "The much lower volume suggests a higher degree of targeting, freeing the actors to pursue more lucrative attacks and leverage stolen information more effectively," ProofPoint researchers said in a blog post.
Hackers behind Dridex, began distributing both the banking Trojan as well as the Locky ransomware via their botnet beginning January 2016. However, campaigns for both went down with the Necurs botnet in June, only to return after a mysterious 3-week hiatus.
While campaign activities for both Dridex and Locky were comparatively low, Locky soon surpassed Dridex. Most recently, the hackers behind Locky launched a massive campaign against the healthcare sector, primarily targeting the US, Japan and South Korea.
"Throughout July and August 2016, we have tracked a number of very small Dridex attachment campaigns, varying from single digits to a couple thousand messages each. On August 15 and 16, the largest observed campaign since the middle of June delivered tens of thousands of messages, primarily targeting financial services and manufacturing organizations. However, this volume does not even approach the multimillion-message campaigns of May 2016," the security firm said.
Researchers also noted that unlike previous Dridex campaigns, that focused on widespread distribution with a high volume of spam emails distributed across the globe, the banking Trojan's recent activities focus primarily on distributing the proliferate Locky ransomware. Dridex was also found to be targeting PoS (point-of-sale) systems.
Coincidentally, there have been several high-profile data breaches relating to PoS systems having been targeted. Most recently, the Oracle data breach, the cyberattacks on HEI hotels and resorts and the Eddie Bauer malware attack, were all targeted by cybercriminals who targeted PoS systems.
"The recent shift to more targeted distribution and a growing set of capabilities suggest that Dridex may be taking on a new life even as the high-volume campaigns shift to distributing almost exclusively Locky and its associated payloads. While these large campaigns may have saturated many target countries, Dridex actors are still looking to monetize the malware by targeting a smaller number of large organizations, many in financial services," ProofPoint said.