A recently observed Dridex distribution campaign is leveraging a new UAC (User Account Control) bypass method, Flashpoint security researchers warn.
Initially discovered in 2014, Dridex is considered the successor of the GameOver ZeuS (GoZ) malware, as it uses an improved version of GoZ’s peer-to-peer architecture to protect its command and control (C&C) server. Dridex has emerged as one of the most prevalent banking Trojan families out there, yet its recent activity has subsided compared to levels seen in 2014 and 2015.
A recently observed small distribution campaign targeting UK financial institutions was characterized by the use of a “previously-unobserved” Dridex UAC bypass that leverages recdisc.exe, a Windows default recovery disc executable. The malware was also observed loading malicious code via impersonated SPP.dll, and using svchost and spoolsrv to communicate to peers and first-layer C&C servers.
As usual, Dridex is being distributed through spam emails with attached Word documents that feature malicious macros designed to download and execute the malware. The initially dropped module was designed to download the main Dridex payload. After infection, the Trojan moves itself from the current location to the %TEMP% folder.
“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” Flashpoint Senior Intelligence Analyst Vitali Kremez explains.
On the infected machine, Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll and bypass the UAC protection on Windows 7. It does so because the platform automatically elevates the program, along with other applications white-listed for auto-elevation. Dridex leverages this feature to execute two commands on the computer.
To bypass UAC, Dridex creates a directory in Windows\System32\6886, then copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\. Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and moves itself to Windows\System32\6886\SPP.dll. The malware then deletes wu*.exe and po*.dll from Windows\System32, after which it executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.
The security researchers also discovered that the banking Trojan also communicates to peers on ports 4431-4433. In this specific campaign, the peers are other machines that Dridex has already enslaved, Flashpoint’s Kremez notes.