Banking Trojan Has Been Replaced by Locky Ransomware by Dridex Botnet

Researchers are tracking a huge spam campaign bombarding inboxes with Locky ransomware downloaders in the form of JavaScript attachments. Security firm Trustwave reported that this huge spike signifies an astonishing increase in the distribution attempt of the Locky ransomware.

Trustwave said that spam laced with malware has constituted 18% of the overall spam accumulated in its honeypots over the previous seven days. They also said that spam infected with malware usually represent below 2% of total spam. The latest swell to 18% is mostly due to ransomware Javascript downloaders. Trustwave reported that campaigns are not continuous, and delivered in bursts for an hour or so.

Operators of Dridex botnet have enormous experience in delivering malware since 2014, and some of them even before that as a piece of Gameover Zeus, which is another infamous top-3-level banking botnet.

Locky rapidly made victims all over the world by their experience in pushing huge amount of spam, and become as dangerous as CryptoWall or TeslaCrypt. As per Trustwave, the campaigns are coming from that same botnet, which is responsible for documents spammed before with malicious macros that download the Dridex banking Trojan.

Threatpost.com posted on March 10th, 2016, stating that in Dridex banking malware case, an email attachment was received by the victims disguised as an invoice, however actually it was document-based macro attack. Law enforcement thought that Dridex would cease to operate for betterment after his arrest, but the group only chooses to change MO and spotlight on simple monetization schemes, such as ransomware.

Dridex's Locky has already put a huge infrastructure in place during their previous operations, and due to this it has become a major player on the ransomware scene just a few days after it launched. According to common sense, it will remain so, till more members of the group are arrested and the botnet is sinkholed.

Trustwave reports that an exclusive webpage is created for every victim, which can simply be accessed via Tor anonymous browser. A setup of bitcoin payment was contained in this page, where the pay for decrypter tool could be done by the victim. Trustwave suggests admin to strengthen their security against spam by blocking the spam attacks of Locky in the email gateway through filtering out incoming email by .js attachments and Office documents with macros.

» SPAMfighter News - 3/17/2016