A Closer Look at the Dridex Trojan After Some Recently Received E-mails

The security Expert Michael Fratello provide us a closer look at the Dridex Trojan following its investigation on the malicious agent.

The Dridex Banking Trojan is a part of a family of Trojans classified as “banking trojans“.  An article describing the Dridex Trojan and some of its inner-workings were published by TrendMicro in November of 2014.

However, I have recently been alerted of a phishing campaign targeting my organization in which multiple e-mails were intercepted, with ZIP archive attachments.  These ZIP archives, as well as the overall e-mail, fit the description of a typical Dridex phishing e-mail; describing a financial issue, in this case, the failure of an ACH (Automated Clearing House) Payment.  The ZIP archive was named to manipulate the user into believing that it contained information regarding this “failed transaction.”

Within this ZIP archive was a single Microsoft Word document; while I did not bother to look for any actual content within the Word document, I did know that the document contained embedded Macros.  Macros allow users to embed VisualBasic scripts within Microsoft Office documents.  These can be used, and were of course intended to be used for legitimate purposes, but are commonly utilized by malware authors to trick unsuspecting users into launching nefarious code that performs actions that lead to the compromise of their device.

As TrendMicro reported in their November 2014 article:

“The appearance of DRIDEX comes a couple of years after CRIDEX’s entry into the threat landscape.  Both CRIDEX and DRIDEX steal personal information, specifically data related to online banking.  DRIDEX is consider as the successor because it uses a new way to steal information–via HTML injections.

However, there is a major difference between the two.  CRIDEX malware is one of the payloads associated with exploit kit spam attacks.  DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code.  The macro code downloads DRIDEX onto the affected system.”

As evidenced by my analysis and the e-mail alone, this description remains accurate, at least in the case of DRIDEX’s [primary] method of infection.

The detailed analysis is available in the following document:

A_Closer_Look_at_the Dridex_Trojan.pdf

Enjoy it!

About the Author Michael Fratello

Edited by Pierluigi Paganini

(Security Affairs –  Dridex, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]