The formidable Dyreza and Dridex banking malware are back in renewed and rejigged macro-based campaigns that includes a shift by the former to target industrial supply chain organisations and by the latter to smash the UK.
Both malware instances are dangerous. Dyreza is a powerful man-in-the-browser bank trojan whose creators have been shifting to target outside of the financial sector.
The authors over time have added targets like the recruitment sector, cyberlockers, domain registrars, and tax services.
Now big ticket industrial supply chain entities have become the latest arrows in Dyreza's quiver.
"As of 17 September Dyreza now counts an additional 20 organisations directly involved in fulfillment and warehousing including four software companies and five wholesale computer distributors," Proofpoint researchers say.
"Credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems, and many other well-known consumer- and business- facing technology and service brands.
"The specific changes observed represent a clear and deliberate strategy on the part of attackers to target a new industry, at all points across the supply chain."
Attackers gain "immense" power to empty bank accounts and even divert physical shipments, researchers say.
They say it buries the notion that man-in-the-browser attacks target only banks.
The attackers use Word macros to compromise phished users in what is an old-attack vector that has gained latent popularity. The Upatre payload downlods Dyreza which then downloads spam botnet compentry.
Dridex also uses the old school cool macro attack vector having resurfaced after a two-month siesta when one of its authors was in August reportedly arrested in Moldova.
PaloAlto bods Brandon Levene and Rob Downs say the phishing emails are again the choice no-brainer method of infection.
"Dridex re-entered the threat landscape with a major e-mail phishing campaign," the pair says.
"Our analysis revealed that this return of Dridex is heavily targeted at the United Kingdom."
They say the resurgence of Dridex means the arrest of actors will not be the end of the malware as long as the organisation behind it remains viable. ®