January 31, 2017 By Douglas Bonderud 2 min read

In 2014 and 2015, Dridex ruled the banking malware world as one of the most popular Gameover Zeus (GOZ) successors. But security professionals got wise, cracked down and largely eradicated the malicious code.

According to Softpedia, however, researchers have detected a number of small-scale phishing attacks carrying a new variant of the old standby. Is this a dry run for Dridex, redux?

What’s Old Is New Again

In some respects, the new version of old code doesn’t stray too far from the original model. It still monitors traffic to banking sites, collects login credentials and steals account information.

It also defends its command-and-control (C&C) servers from deletion by using peer-to-peer (P2P) architecture. This makes it difficult for security analysts to pin down command origins and forces them to simply defeat the code in each instance.

As noted by Threatpost, however, there are some new additions. First, Dridex is going small scale and only spear phishing users in the U.K. with email attachments that claim to be tax documents or electronic fax confirmations. Needless to say, the attachments contain macros that drop the initial malware package.

Elevated Privileges

Here’s where the malware starts to ramp up by leveraging a method to bypass the Windows 7 User Account Control (UAC) and gain automatic privilege elevation. The malware creates a new directory at Windows\System32\6886 and then copies a legitimate binary of redsic, a disk recovery service that is granted automatic whitelisting and privileges, into the new folder.

Next, it copies itself several times to land in the same folder and starts deleting any wu*.exe and po*.dll files from System32. Finally, it executes recdisc.exe and loads itself as an impersonated SPP.dll with admin authority.

Once recdisc.exe is copied into the new folder, UAC is no longer an issue. This enables the malware to create a new firewall rule for ICMPv4 listeners for P2P communications.

The new version of this banking malware has total access to infected systems. As noted by Live Bitcoin News, it also often goes unnoticed, since Windows classifies recdisc.exe and its associated processes as trusted applications.

Dridex Redux?

So far, infections have been confined to the U.K. and those observed have been smaller than in years past. Security researchers are worried, however, that this is simply a testing phase. Once the malware-makers know they’ve got a quality product on their hands, they’ll likely ramp up the number of attacks.

Consider the recent development of a new Android banking Trojan, Android.BankBot, which was developed using the leaked source code of another Android attack. As noted by Bleeping Computer, the leak may have been an attempt to crowdsource better code. While some malicious actors who reuse code are simply looking for a quick fix, others find ways to improve the basic structure and create stronger, faster and more dangerous iterations.

Given that Dridex is a “very modular Trojan,” Flashpoint senior intelligence analyst Vitali Kremez told Threatpost, it seems likely that a combination of successful test runs and crowdsourced coordination could give this malware the push it needs to become a two-time banking threat leader.

The bottom line is that Dridex is back. It can’t compete with its previous popularity just yet, but given the limited test run and its customizable nature, this UAC-passing progeny may signal the start of Dridex, redux.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today