Pierluigi Paganini July 01, 2019

Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism.

Security experts at eSentire observed a new campaign spreading a variant of the Dridex banking Trojan that implements polymorphism.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

Even if the activity of Dridex decreased in the last couple of years, crooks continued to updates it adding new features such the support of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.  

Malware researcher Brad Duncan first observed a new variant of Dridex on June 17 that leverage an Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host. 

On June 26, 2019, experts at eSentire Threat Intelligence discovered a C2 infrastructure pointing to a similar Dridex variant that was undetected by most of the antivirus listed in VirusTotal service.

“On June 26, 2019, eSentire Threat Intelligence discovered new infrastructure pointing to a similar Dridex variant (see IOCs below).  At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior [2].  About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.” reads the analysis published by eSentire.

Experts noticed that threat actors continuously change up indicators through the current campaign, making it hard for signature-based defense solutions to detect the threat.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login.

Attacks begin with spam emails containing weaponized documents, once victims have executed the embedded macros, the malicious code connects to the ssl-pert[.]com domain to download the Dridex installer.

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

Pierluigi Paganini

(SecurityAffairs – Dridex, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]