Last Dridex Trojan variant uses a new tactic to bypass Windows UAC

A new variant of the Dridex Trojan recently observed is leveraging a new tactic to bypass the UAC (User Account Control).

Researchers at the security firm Flashpoint have discovered a new campaign leveraging on a new variant of the Dridex Trojan that uses a new tactic to bypass the UAC (User Account Control).

The Dridex Trojan was first spotted in 2014, it is considered one of the most pervasive banking trojan. It was most active between 2014 and 2015, and just smaller campaigns were observed throughout 2016.

The last campaign observed by Flashpoint is targeting UK financial institutions, crooks are using “previously-unobserved” Dridex UAC bypass technique that leverages Windows default recovery disc executable recdisc.exe.

“On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.” reads the analysis published by the security firm.

“Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.”

This variant of the Dridex Trojan is  using svchost and spoolsrv to communicate with peers and the first-layer of the Command & Control infrastructure.

Crooks are using spam emails as the attack vector, the malicious messages come with attached Word documents that embed macros that download and execute the Dridex Trojan.

Once infected the Windows machine, the malware moves itself from the current location to the %TEMP% folder.

“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” continues the analysis.

Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll with administrative privileges and bypass the UAC protection on Windows 7.

The mechanism leverage the Windows utility because it is white-listed for auto-elevation.

In order to bypass UAC, the malware creates a directory in Windows\System32\6886, then copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\.

Then Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and moves itself to Windows\System32\6886\SPP.dll. The Dridex Trojan then deletes wu*.exe and po*.dll from Windows\System32, after which it executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – banking trojan, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]