Categories: Breaking NewsCyber CrimeMalware

New Dridex malware evades detection with AutoClose function

Security experts at Proofpoint have discovered a new phishing campaign that exploits a Dridex variant that evades detection with AutoClose function.

Criminal crews behind the Dridex banking malware are very prolific and are improving the popular malicious code. Recently we have discussed about a Dridex variant which was spread through phishing messages with Microsoft Office documents embedding malicious macros.

The attackers exploited social engineering technique to lure victims into open the document and enable macros, which are disabled by default since the release of Office 2007.

The most recent improvement for the Dridex campaign is the inclusion of an AutoClose VBscript function as evasion technique.

Triggering malicious action when document is closed could be an effective technique against sandbox detection methods.

“The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” states a blog post published by Proofpoint. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.The AutoClose method executes another method, “vhjVHsdfdsf” that includes obfuscated code. XOR’ing the obfuscated code with 0xFF yields powershell downloader code which installs Dridex with botnet ID 120.”

Basically, a sandbox detection mechanism doesn’t implement a feature waiting for the user that closes the document.

“No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.” Proofpoint reports.

Dridex belongs to the GameOver Zeus family and operates by injecting code directly in the browsers when victims visit their online banking accounts. The malicious code is used to steal sensitive information, including the banking credentials.

Dridex, like last variants of GameOver Zeus, uses a peer-to-peer architecture and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemesto make the botnet resilient to action of law enforcement.

Pierluigi Paganini

(Security Affairs – Dridex banking trojan, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.