The Dridex banking Trojan has gained a new feature that allows it to spread itself in password-protected Microsoft Office files.
Dridex Is More Dangerous Than Before
The criminal developers of the infamous Dridex banking Trojan have made modifications to the code base that give the malware updated features. They make it much more dangerous to both unsuspecting targets and compromised machines.
There are two new distribution methods that are used by the criminal hackers. The first one is the use of compromised machines to forward the malicious emails. In previous versions of Dridex the malware has been spread through the Necurs botnet. As this is a new tactic the security vendors have not been able to detect the infections right away.
The second techniques relies on the email contents itself. The malicious binaries with the .RTF extension are now encrypted with a password that is displayed in the emails. This prevents most automated security systems from extracting and analyzing the threat as password extraction and document decryption is not an available feature in most solutions.
When the target users open the files, they are prompted to enable the macro scripts with a notification message. Upon activation, the Dridex loader is downloaded and installed. The new iteration uses a command-line interface to ping Google’s free DNS servers 250 times to ensure a stable connection before activating its next code.
The most probable intention of launching this wave of Dridex malware is to infect corporate networks with strengthened security rather than individual home users. In previous cases, the campaigns with this threat were used against individual countries such as the United Kingdom. Security experts believe that the next iteration of Dridex may pose an even greater threat.
The new spam wave is currently active, and all users are encouraged to follow the good security practices in order to avoid infections.