Dridex is a well-known Trojan which specializes in the theft of online banking credentials. First spotted in 2014, the malware’s developers appear to be very active and are constantly evolving the software’s capabilities and attack vectors.
In January last year, researchers from Forcepoint Security Labs found that Dridex had expanded its infection chain by not only targeting users through phishing campaigns but also through compromised FTP websites.
The latest strain of the malware was first detected by cybersecurity researcher Brad Duncan earlier this month. According to Duncan, the new Trojan variant makes use of an Application Whitelisting technique in order to block elements of the Windows Script Host.
By exploiting what can be considered weak execution protection and policies in the Windows WMI command-line (WMIC) utility, the malware is able to employ XLS scripts to bypass mitigation efforts.
Dridex has also ramped up its library infrastructure. The security researcher says the Dridex DLL files are 64-bit DLLs — with associated SHA256 hashes — which use file names that are loaded by legitimate Windows executables. However, the file names and hashes are refreshed and changed every time a victim logs into an infected Windows host.
Cybersecurity firm eSentire said on Thursday that the core functionality of Dridex has received an additional upgrade and provided additional details relating to the new strain.
A similar variant to Duncan’s sample, when uploaded to VirusTotal, was only recognized as malware by six out of roughly 60 antivirus solutions.
The circumvention of detection by signature-based systems is of concern, especially considering how many members of the general public rely purely on traditional antivirus programs to protect their systems.
Thankfully, however, by June 27, the number of active detections has increased to 16 out of 60. This is now just over 25 percent, and while not great, at least shows that antivirus programs are beginning to update to include the latest Dridex variant.
Clues in the implementation of different URLs and directories throughout the latest spread of the malware suggests to eSentire that the threat actors are not finished yet, and it is possible that “this variant of Dridex will continue to change up indicators throughout the current campaign.”
“Some antivirus engines were able to detect (but not specify) the suspicious behavior,” the researchers added. “Given the rapid turnover of infrastructure and indicators, signature-based antivirus solutions will continue to have gaps throughout the Dridex campaign.”
Indicators of compromise can be found here.