New variant of Dridex banking Trojan implements polymorphism

Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism.

Security experts at eSentire observed a new campaign spreading a variant of the Dridex banking Trojan that implements polymorphism.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

Even if the activity of Dridex decreased in the last couple of years, crooks continued to updates it adding new features such the support of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.

Malware researcher Brad Duncan first observed a new variant of Dridex on June 17 that leverage an Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host.

On June 26, 2019, experts at eSentire Threat Intelligence discovered a C2 infrastructure pointing to a similar Dridex variant that was undetected by most of the antivirus listed in VirusTotal service.

“On June 26, 2019, eSentire Threat Intelligence discovered new infrastructure pointing to a similar Dridex variant (see IOCs below). At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior [2]. About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.” reads the analysis published by eSentire.

Experts noticed that threat actors continuously change up indicators through the current campaign, making it hard for signature-based defense solutions to detect the threat.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login.

Attacks begin with spam emails containing weaponized documents, once victims have executed the embedded macros, the malicious code connects to the ssl-pert[.]com domain to download the Dridex installer.

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Dridex, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.