Dridex banking malware spreading through new spam campaign

Posted on

A new spam campaign armed with the Dridexbanking malware is making its rounds and targeting company accountants with phony emails.

Attached to each spam email is a fake scanned document that, in reality, is a macros-enabled .doc, Heimdal Security wrote in its blog post on the attack. The email tries to pass as legitimate under the subject line “Scanned from a Xerox Multifunction Printer.” It tells the recipient that the document was scanned and then sent to them directly from the printer.

Heimdal Security outlined a recent Dridex-spreading spam campaign that tries to trick users into opening a malicious macros-enabled document.
Heimdal Security outlined a recent Dridex-spreading spam campaign that tries to trick users into opening a malicious macros-enabled document.

If opened, the document retrieves Dridex from various compromised webpages.

While this attack isn’t terribly different from any other spam campaign, Morten Kjaersgaard, CEO of Heimdal Security, told SCMagazine.com in an email that it’s much more “refined and stealthy” in its attack mechanisms.

“As users we need to constantly remind ourselves that hackers are getting better at what they do,” he said. “This is serious business [for them] and we should consider this a serious threat.”

When Heimdal scanned the impacted webpages on VirusTotal, only five out of more than 20 antivirus solutions detected the malicious payload.

Once on a victim’s system, Dridex “sleeps” until a user types in banking credentials that will be sent to the attackers.

Kjaersgaard recommends using a web filtering service on the endpoint, combined with other traditional security approaches, such as signature-based detection.

“I would strongly urge users and companies to be very careful in keeping their software up-to-date and not trusting unlikely inbox items,” he said. “This Dridex campaign is just the tip of a currently very big, and unfortunately increasing, iceberg.”

Source:http://www.scmagazine.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s