PhishMe's senior researcher - Ronnie Tokazowski, has warned that Dridex is experimenting with new attack vectors.
Ronnie explains, "When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers. Over the last few weeks, here at PhishMe, we've seen attackers experiment with Word documents with macros (typically Dridex); Neutrino malware; Pony malware; Zip with .js deliveries; straight .js files attached to the document, word exploits (CVE-2012-0158) and CAB attached files.
"While the others are interesting, the most interesting of them all is the exploit for 2012-0158, an exploit for Word. When triggered on a vulnerable system, the document opens, quickly closes, and then opens a second document without user interaction."
Incidentally, the dropped document is rather amusing: http://phishme.com/wp-content/uploads/Figure-2-3.png
Speaking about what happens once the exploit is triggered, Ronnie adds, "This specific exploit was a favourite of APT actors for a long time, and was quickly adopted by attackers on the cyber crime side due to the reliable nature of the exploit. The file used for this exploit is an RTF file, however straight .doc files can be used as well. When looking at the file statically, we can see references to “sandworm” in the file."
Referencing back to the level of experimentation Ronnie highlights in his opening, and to put these changes into perspective, Ronnie concludes, "For all of 2015, Dridex can be broken down by the following percentages, Office Macro, Dridex at 73%; Dridex alone at 22% and everything else at 5%. In 2016, the attackers have already used seven different attachment types…and it’s only February. Given the recent adjustments and tactic shifts with Dridex, this is something that we all will need to watch out for in the coming months. With Dyre out of the picture, this may be an attempt by the Dridex operators to fill in the gaps where Dyre left off."