Categories: Breaking NewsCyber CrimeMalware

A Closer Look at the Dridex Trojan After Some Recently Received E-mails

The security Expert Michael Fratello provide us a closer look at the Dridex Trojan following its investigation on the malicious agent.

The Dridex Banking Trojan is a part of a family of Trojans classified as “banking trojans“. An article describing the Dridex Trojan and some of its inner-workings were published by TrendMicro in November of 2014.

However, I have recently been alerted of a phishing campaign targeting my organization in which multiple e-mails were intercepted, with ZIP archive attachments. These ZIP archives, as well as the overall e-mail, fit the description of a typical Dridex phishing e-mail; describing a financial issue, in this case, the failure of an ACH (Automated Clearing House) Payment. The ZIP archive was named to manipulate the user into believing that it contained information regarding this “failed transaction.”

Within this ZIP archive was a single Microsoft Word document; while I did not bother to look for any actual content within the Word document, I did know that the document contained embedded Macros. Macros allow users to embed VisualBasic scripts within Microsoft Office documents. These can be used, and were of course intended to be used for legitimate purposes, but are commonly utilized by malware authors to trick unsuspecting users into launching nefarious code that performs actions that lead to the compromise of their device.

As TrendMicro reported in their November 2014 article:

“The appearance of DRIDEX comes a couple of years after CRIDEX’s entry into the threat landscape. Both CRIDEX and DRIDEX steal personal information, specifically data related to online banking. DRIDEX is consider as the successor because it uses a new way to steal information–via HTML injections.

However, there is a major difference between the two. CRIDEX malware is one of the payloads associated with exploit kit spam attacks. DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code. The macro code downloads DRIDEX onto the affected system.”

As evidenced by my analysis and the e-mail alone, this description remains accurate, at least in the case of DRIDEX’s [primary] method of infection.

The detailed analysis is available in the following document:

A_Closer_Look_at_the Dridex_Trojan.pdf

Enjoy it!

About the Author Michael Fratello

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York. Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

[adrotate banner=”9″]

[adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – Dridex, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.