Self Assessment

Dridex is Back – This Time on Your Slack

Published On : 2021-10-03
Share :
Dridex is Back – This Time on Your Slack

Dridex is Back – This Time on Your Slack

A modified version of the banking trojan Dridex – named DoppelDridex – is being delivered via payloads staged on Slack and Discord CDNs. To launch this malware, several campaigns are leveraging attachments with the Excel 4.0 sheet-style macros to fetch the initial payload that is hosted on domains of popular messaging CDNs such as discordapp[.]com and files.slack[.]com. As these sites are usually ‘allowlisted’ by several network-based control or proxies, several threat actors find them to be attractive launchpads to stage payloads.

DoppelDridex and Threat Groups

TA505

This financially motivated threat group is active since 2014. CTI suspects the group to have Russian origins. Apart from providing initial access development to other threat actors, TA505 is notorious for its Big Game Hunting operations. While several threat actors had distributed Dridex malware, it was this group which was the first one to use this trojan in its campaign back in July 2014.

Target Countries: Canada, Germany, South Korea, UK, USA

Target Industries: Enterprises across Industries, Government Agencies

DoppelSpider

Another suspected Russian ransomware group, DoppelSpider has been active since 2019. CYFIRMA Researchers suspect this threat actor to be responsible for operating DoppelPaymer and DoppelDridex. Researchers have observed this group has been regularly leveraging Slack as well as Discord to drop DoppelDridex.

Target Countries: Austria, Canada, Chile, China, France, Italy, Germany, Japan, Mexico, Qatar, Saudi Arabia, South Africa, Spain, Sweden, Switzerland, UAE, UK, USA

Target Industries: Aviation, Healthcare, Financial Services, Manufacturing, Media, Telecommunications, Others

Grief Ransomware

This ransomware-extortion threat group first emerged in May 2021. It is known to maintain a public leak site where it posts stolen victim data. Threat Actor TA505 is also suspected of leveraging Grief Ransomware to carry out various campaigns/malicious activities.

Till date the Grief Ransomware has targeted the following industries:

  • Education – US
  • Government – US
  • Manufacturing – European Nations, Canada
  • Hospitality – UK
  • IT Services – France
  • Pharmaceuticals – Italy
  • Food & Beverage – France
  • Agriculture – Croatia
  • Online Retail – UK
  • Healthcare – US
  • Advanced Technology – Portugal

Recommendations

Integrate CTI feeds with existing SIEM solutions to allow faster detection and alerting of malicious activities. Enrich threat intelligence by combining local monitoring, internal and external feeds.

Assess and deploy alternatives for the deployment of an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.

Implement identification and prioritization of cyber risks and PII/CII/PIFI (personally identifiable information/ customer identifiable information/ personally identifiable financial information) through risk assessments, vulnerability assessments, and system reviews.

Ensure software and applications are being inventoried, allowing the organization to keep track of software name and version, installation, last patch date, and current known vulnerabilities. This will help organizations support scheduling updates and removing vulnerable utilities that ransomware could exploit and significantly reduce the attack surface.

Immediate action must be taken to isolate the ransomware to minimize the damage to the data, to prevent the spread of infection to other systems and networks, and to minimize the impact on the mission or business.

Minimize business impact by being open and transparent in case of a ransomware event to restore confidence among stakeholders. Restoration activities must be coordinated with internal as well as external parties (coordinating centers, ISP, system owners, victims, other CSIRTs, vendors, etc.)

 

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.