The proliferate Dridex banking malware is back in a new and improved version and has begun going after targets in the UK, France and Australia. The malware was first spotted in 2014 and was highly active throughout 2017, targeting banks across the globe.
The new campaign started on 17 January, Wednesday, and was discovered by security researchers at Forcepoint. It has been designed to send out malicious phishing emails using compromised FTP sites.
"The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups," Forcepoint security researchers said in a blog. "This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement."
The researchers suspect that the Necurs botnet, one of the world's largest botnets, may be giving the new malware campaign a boost – something the botnet has done before. Necurs recently resurged after its annual holiday break and in a new twist, and was seen pushing an obscure cryptocurrency, for the first time.
Necurs' spam campaigns are known to push out millions of emails in just hours. However, the new Dridex campaign saw just over 9,500 emails sent in total – an oddly low volume for a typical Necurs-boosted campaign.
"Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less 'average'. Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery," Forcepoint researchers said.
"Dridex's seemingly endless ability to evolve makes it a real problem for anyone using online banking. It's also not exactly popular with security teams inside financial services companies themselves, given its effectiveness at stealing bank log-ins wholesale," Brooks Wallace, managing director EMEA, at security company Trusted Knight, told IBTimes UK.
"It is a testament to the danger of such flexible malware platforms, which means teams of well-funded criminals can continue to stay one step ahead of the anti-malware and anti-virus solutions often used by even the most security conscious online banker," Wallace added. "Dangerous – and ultimately expensive – malware like this is plundering accounts constantly and fraud and security measures need to get smarter to protect both banks and customers from massive fraud and security losses."