Dridex and Email: A Nasty Social Engineering Team

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It seems like hackers find a new vulnerability every week, challenging enterprise security teams to find fixes. But the bad guys also recycle not-so-golden oldies, as seen in recent email phishing schemes involving a nasty piece of malware called Dridex.

Earl Carter and Armin Pelkmann, researchers from Cisco's Talos Security Intelligence and Research Group, over the past two weeks noted a spate of phishing emails attempting to leverage Dridex, all of which utilized Microsoft Office macros. Using macros as an attack vector is so 1998, Carter told eSecurity Planet, largely because most enterprises follow the security best practice of disabling macros by default.

Because of this, "users forgot how dangerous macros could be," Carter said.

Social Engineering Twist

Attackers now try to trick users into enabling macros through social engineering. In a blog post,  Carter and Pelkmann wrote about three email campaigns that took place late last week, two of which lasted just a few hours. Each included a malicious attachment that would enable macros and open users to attack if opened.  Despite the brief time windows, Carter said Talos' sensors detected very large volumes of malicious messages, which suggests the Dridex network of infected systems sending spam is quite large.

These attacks illustrate that "whenever companies stop securing an attack vector, attackers will start exploiting old techniques again," Carter said. "Therefore it is mandatory to constantly improve security and not 'relax' settings for older unused attack vectors."

Attackers attempted to employ macros in a similar email threat called the String of Paerls, identified by Cisco researchers in July.  And TrendMicro researchers wrote about phishing emails containing Dridex code in November.

The most recent Dridex emails featured little variation in the subject lines and body text, which probably indicates the tools being used by attackers do not have many randomization options, Carter said. In theory, this also makes the attacks easier to detect. However, he added, "the sheer number of users in enterprises makes it easier for an attacker to find some users who might fall for their social engineering efforts."

How to Fight Social Engineering

The two keys to fighting these types of attacks are a multi-faceted and layered approach to security and user training, Carter said.

Enterprises that employ email filtering, anti-virus and anti-malware will be less likely to be victimized, Carter said. In fact, he said, tools such as Cisco’s Email Security Appliance (ESA) "enable enterprises to stop this particular malware before the user even has a chance to fall for the social engineering by removing the malicious content from the email before the user receives it."

Due to the swift execution of the recent Dridex attacks, a multi-layered defense is especially important. According to the blog post: "Reputation systems will most likely miss the first few seconds to minutes of an attack. The very first messages can be most efficiently get stopped by content filters and anti-malware engines."

User education should not be neglected, Carter said, calling it "a key part of a comprehensive security solution." However, multiple layers of protection can help organizations that have little time or money for training.

"Many times the user is the weakest link, and in smaller companies the security training users receive may also be minimal. Without multiple layers of protection, someone is likely to be tricked by the attacker's social engineering ploy," he said.

Jason Riddle, a practice leader at LBMC Managed Security Services, recently offered several tips on training users to detect social engineering schemes in an eSecurity Planet article.

Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.