Connect with us

Hi, what are you looking for?



Dridex Employs Polymorphism in Recent Campaign

A recent campaign featuring the Dridex banking Trojan has shown extensive use of randomly generated variables and URL directories, eSentire’s security researchers reveal.

A recent campaign featuring the Dridex banking Trojan has shown extensive use of randomly generated variables and URL directories, eSentire’s security researchers reveal.

Around for more than half a decade, Dridex was one of the most prevalent banking malware families out there several years ago. Albeit the activity surrounding it has decreased significantly over the past couple of years, Dridex has continued to receive updates to increase attack efficiency.

Some of the changes Dridex has seen over the years include the adoption of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Featuring a dynamic configuration and web injections right from the start, the malware is attempting to steal banking information from the victim’s system.

Attacks observed in June revealed the disabling or blocking of Windows Script Host to bypass mitigation, eSentire reports. The employed technique leverages the WMI command-line (WMIC) utility’s execution policy around XLS scripts to successfully infect the target machines.

The prevalent characteristic of the campaign is a constant shift in identifiers, the security researchers reveal. This has been ongoing for at least two weeks and is likely to continue, likely making it difficult for signature-based antivirus solutions to prevent infections.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

A similar polymorphism was observed in the supporting library as well, malware researcher and SANS ISC contributor Brad Duncan revealed a couple of weeks ago.

Advertisement. Scroll to continue reading.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. The file paths, file names, and associated hashes would change at every computer login, the researcher said.

The infection process begins with spam emails containing malicious documents with embedded macros that would require some level of user interaction to be triggered. Once executed, the macros reach to the ssl-pert[.]com domain to download the Dridex installer.

Just as with all spam, compromise can be avoided if the email recipients are aware of the basic protections against such messages, including avoiding opening attachments or clicking on links that come from unknown sources.

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign

Related: Popular Banking Trojans Share Loaders

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...