In a new blog post from Proofpoint security researchers their recent detection of a very high volume of phishing emails spreading the Dridex banking Trojan is analysed.
The post explains that over the space of three days in late October, Proofpoint detected hundreds of thousands of phishing emails with malicious Microsoft Word attachments. Automated analysis followed by additional examination by their threat analysts revealed that these documents contained malicious macros that downloaded an executable that would in turn download and install Dridex.
Key take outs include:
Macros have been disabled by default since Microsoft Office 2007, but if Office is set to disable “with notification” then end-user can choose to enable the embedded code by clicking the “Enable Content” button. The macro-based attacks that have exploded in prevalence in the last few months have generally addressed this by incorporating the techniques of social engineering, which trick the recipient into enabling macros in the document in order to view ‘hidden’ or obscured content.
The botnet ID and several other important distinctions – including the Dridex configuration file – made it evident that there were in fact two distinct campaigns, rather than a single massive campaign. The “125” botnet comprised about 20,000 IP addresses sending hundreds of thousands of messages per day for several consecutive days, and primarily targeted email accounts and financial institutions in the United Kingdom. A second, simultaneous campaign with a botnet ID of “300” employed approximately 25,000 IP addresses to send almost one million messages in a single day, primarily targeting email addresses and financial institutions in the US.
While both campaigns used Word documents with embedded macros to download and install the Dridex malware, the messages and macros themselves also showed some important differences. On the surface, the most obvious difference was a difference in terminology, where the attachments were described as “accounting documents” or “invoices” for the UK and US recipients, respectively. This may be as much a factor of the English-language skills of the attackers as of the differences between British and American English.
Other differences were much more significant. In contrast to the attachment in the UK-targeted message – where the same filename was used for the attachment in all messages – in the US-focused campaign the attachment filename was different for every message. The macros themselves were also different, in that – as noted above – the macros in the UK-focused campaign were heavily obfuscated in order to evade detection by antivirus engines, while in the US-focused campaign the macros were encrypted in order to hinder analysis.