The banking malware Dridex is pioneering a short-form spam campaign that allows it to more easily evade detection, according to the networking firm Cisco.
Hackers behind the virus, which uses Microsoft Office macros to install itself onto victims’ computers, created two five-hour campaign last week, still using financial subject lines to trick people into opening the malicious emails.
Nick Biasini, a threat researcher at Cisco security group Talos, wrote on the firm’s blog: "Not only did the attackers use different subjects for every email they also rarely reused an attachment name."
He added that for the first campaign the body of the email was blank, though the second appeared to be a conventional invoice.
However both campaigns included a word document with no legible text, which may alert the victim that something is amiss.
Once opened the malicious file was said to attempt to install a variant of Dridex onto the computer, the fourth that Talos has analysed over the last few months.
Biasini noted that antivirus software was having trouble keeping up with the campaigns, with protections against Dridex only being available towards the end of the five hours.
"In many of these shorter campaigns, the antivirus update can actually occur after the campaign has essentially completed, as shown below in a Dyreza C malware campaign that occurred just a couple of weeks back," he said.
"Previously, [spam] campaigns continued for days or weeks and leveraged the same subject or attachment name allowing for quick detection and prevention.
"Today, these campaigns are short lived with mutating subjects and attachments designed specifically to avoid detection and prevention."
