Dridex switches from office docs to security notifications in new spam run

Dridex is back, after seemingly dropping out of favour once all major filtering systems tried to find a way to defeat the macro-downloaded payload.  Building in popularity throughout May and June, this new iteration uses scare-tactics to convince the user to open an attached .zip file.  Previously Dridex was deployed via macro by convincing a user to open an attached office document.  Now the attachments are ‘security notifications’ and the email uses scare tactics by trying to pretend to be a blocked attachment supposedly sent from the mail server. When paired with a certified application (CertUtil) the threat is more likely to pass through sandboxing solutions meaning infections are much more difficult to block. CertUtil can quite legitimately have macros packaged up with it.

Whilst this shouldn’t change much for network security professionals, as the advice remains to not open anything you’re not expecting and always stay suspicious of compressed files anywhere, this could increase the occurrence of Dridex infections.  As a result, try to stay vigilant of any suspicious network activity that could indicate Dridex presence on your network.

Although the download vector has changed in this new iteration, researchers at Trend Micro (who have already added protection to their MainlineDV filter), have suggested that once downloaded, the malware behaves the same as previously.  That is to say, keep your network monitoring running, and a keen eye out for an increase in Dridex again.

Source