Notorious banking malware Dridex has made a comeback this month despite attempts by law enforcers to sinkhole and dismantle the botnet behind it, according to researchers.
Security firm ZScaler claimed that it’s still being distributed by emails with malicious Microsoft Office attachments that lead to the download of the trojan executable.
It explained the following:
“MHTML, also known as MIME HTML, is a web page archive format used to combine in a single document the HTML code and its companion resources that are otherwise represented by external links (such as images, Flash animations, Java applets, and audio files). The malware authors are known to send the documents containing malicious macro in MHTML format to evade antivirus detection.”
In addition, the embedded macro is protected with a password to prevent modification, the team claimed.
Most of the Dridex executable hosting servers are located in North America, followed by Europe, South America and then the Middle East, ZScaler claimed.
The UK’s National Crime Agency explained a fortnight ago that its National Cyber Crime Unit (NCCU) had been working with the FBI to sinkhole Dridex and render the botnet harmless.
However, that doesn’t appear to have worked, with Zscaler claiming that although infections “went down considerably” after the global takedown operation, “we are starting to see a steady increase in the infections this month, which indicates the malware gang's attempt at resurrecting this highly lucrative botnet.”
“The authors continue to use the tactic of digitally signed malware executable to evade detection with legitimate certificates created specifically for this purpose,” the firm added.
The NCA also warned recently that the banking trojan, which is a descendant of the infamous Zeus malware, has enabled those behind it to steal credentials and commit fraudulent transactions to the tune of £20 million in the UK alone.
First spotted late last year and aimed up until now largely at UK and US targets, it seems Dridex still has plenty of life left in it yet.