Just one month after US and UK law enforcement helped take down Dridex, Trend Micro is reporting the botnet is bouncing back.
The research firm said that while the take down of the servers housing the botnet in October was a positive step there was always a very good chance Dridex would make a comeback.
Since 13 October, when the servers were taken offline, the majority of Dridex victims -- 23.5 percent -- have been in the United States, with a further 14.3 percent in the UK and a further 14.3 percent in France. The remaining victims are spread across Europe and Asia.
“Unless all infrastructure are destroyed and all threat actors are caught, threats like Dridex are bound to resurface,” Ryan Flores, Trend Micro's Threat Research Manager, wrote in a blog post, adding: “While it will take time for Dridex to regain its former strength, these new spam runs indicate that the masterminds behind Dridex have regrouped and restarted their criminal activity. Users who thought Dridex was no longer a problem will have to think again.”
The latest attacks are using Dridex-related spam runs with email subject lines focusing on financial issues like invoices, unpaid bills or current credit balance. Dridex is primarily banking malware that leverages macros in Microsoft Office to infect systems, noted Forrest Stroud of Webopedia.
Meanwhile, Flores pointed out the new variants are using the same coding techniques as in the past, separating the botnet into segments using a numeric coding system, to hide the attack. “Both Excel and Word documents are being used in these spam runs. When opened, these Office files contain a macro which, in turn, downloads the malicious Dridex file,” Flores said.
Because social engineering tricks are used to gain entry into a network, the best defence is not opening suspected emails and also to disable unneeded macros.