Dridex Employs Polymorphism in Recent Campaign

A recent campaign featuring the Dridex banking Trojan has shown extensive use of randomly generated variables and URL directories, eSentire’s security researchers reveal.

Around for more than half a decade, Dridex was one of the most prevalent banking malware families out there several years ago. Albeit the activity surrounding it has decreased significantly over the past couple of years, Dridex has continued to receive updates to increase attack efficiency.

Some of the changes Dridex has seen over the years include the adoption of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Featuring a dynamic configuration and web injections right from the start, the malware is attempting to steal banking information from the victim’s system.

Attacks observed in June revealed the disabling or blocking of Windows Script Host to bypass mitigation, eSentire reports. The employed technique leverages the WMI command-line (WMIC) utility’s execution policy around XLS scripts to successfully infect the target machines.

The prevalent characteristic of the campaign is a constant shift in identifiers, the security researchers reveal. This has been ongoing for at least two weeks and is likely to continue, likely making it difficult for signature-based antivirus solutions to prevent infections.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

A similar polymorphism was observed in the supporting library as well, malware researcher and SANS ISC contributor Brad Duncan revealed a couple of weeks ago.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. The file paths, file names, and associated hashes would change at every computer login, the researcher said.

The infection process begins with spam emails containing malicious documents with embedded macros that would require some level of user interaction to be triggered. Once executed, the macros reach to the ssl-pert[.]com domain to download the Dridex installer.

Just as with all spam, compromise can be avoided if the email recipients are aware of the basic protections against such messages, including avoiding opening attachments or clicking on links that come from unknown sources.

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign

Related: Popular Banking Trojans Share Loaders