"This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement."
The researchers suspect that the Necurs botnet, one of the world's largest botnets, may be giving the new malware campaign a boost – something the botnet has done before. Necurs recently resurged after its annual holiday break and in a new twist, and was seen pushing an obscure cryptocurrency, for the first time.
Necurs' spam campaigns are known to push out millions of emails in just hours. However, the new Dridex campaign saw just over 9,500 emails sent in total – an oddly low volume for a typical Necurs-boosted campaign.
"Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less 'average'. Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery," Forcepoint researchers said.
"Dridex's seemingly endless ability to evolve makes it a real problem for anyone using online banking. It's also not exactly popular with security teams inside financial services companies themselves, given its effectiveness at stealing bank log-ins wholesale," Brooks Wallace, managing director EMEA, at security company Trusted Knight, told us.
"It is a testament to the danger of such flexible malware platforms, which means teams of well-funded criminals can continue to stay one step ahead of the anti-malware and anti-virus solutions often used by even the most security conscious online banker," Wallace added. "Dangerous – and ultimately expensive – malware like this is plundering accounts constantly and fraud and security measures need to get smarter to protect both banks and customers from massive fraud and security losses."