January 31, 2017 By Douglas Bonderud 2 min read

In 2014 and 2015, Dridex ruled the banking malware world as one of the most popular Gameover Zeus (GOZ) successors. But security professionals got wise, cracked down and largely eradicated the malicious code.

According to Softpedia, however, researchers have detected a number of small-scale phishing attacks carrying a new variant of the old standby. Is this a dry run for Dridex, redux?

What’s Old Is New Again

In some respects, the new version of old code doesn’t stray too far from the original model. It still monitors traffic to banking sites, collects login credentials and steals account information.

It also defends its command-and-control (C&C) servers from deletion by using peer-to-peer (P2P) architecture. This makes it difficult for security analysts to pin down command origins and forces them to simply defeat the code in each instance.

As noted by Threatpost, however, there are some new additions. First, Dridex is going small scale and only spear phishing users in the U.K. with email attachments that claim to be tax documents or electronic fax confirmations. Needless to say, the attachments contain macros that drop the initial malware package.

Elevated Privileges

Here’s where the malware starts to ramp up by leveraging a method to bypass the Windows 7 User Account Control (UAC) and gain automatic privilege elevation. The malware creates a new directory at Windows\System32\6886 and then copies a legitimate binary of redsic, a disk recovery service that is granted automatic whitelisting and privileges, into the new folder.

Next, it copies itself several times to land in the same folder and starts deleting any wu*.exe and po*.dll files from System32. Finally, it executes recdisc.exe and loads itself as an impersonated SPP.dll with admin authority.

Once recdisc.exe is copied into the new folder, UAC is no longer an issue. This enables the malware to create a new firewall rule for ICMPv4 listeners for P2P communications.

The new version of this banking malware has total access to infected systems. As noted by Live Bitcoin News, it also often goes unnoticed, since Windows classifies recdisc.exe and its associated processes as trusted applications.

Dridex Redux?

So far, infections have been confined to the U.K. and those observed have been smaller than in years past. Security researchers are worried, however, that this is simply a testing phase. Once the malware-makers know they’ve got a quality product on their hands, they’ll likely ramp up the number of attacks.

Consider the recent development of a new Android banking Trojan, Android.BankBot, which was developed using the leaked source code of another Android attack. As noted by Bleeping Computer, the leak may have been an attempt to crowdsource better code. While some malicious actors who reuse code are simply looking for a quick fix, others find ways to improve the basic structure and create stronger, faster and more dangerous iterations.

Given that Dridex is a “very modular Trojan,” Flashpoint senior intelligence analyst Vitali Kremez told Threatpost, it seems likely that a combination of successful test runs and crowdsourced coordination could give this malware the push it needs to become a two-time banking threat leader.

The bottom line is that Dridex is back. It can’t compete with its previous popularity just yet, but given the limited test run and its customizable nature, this UAC-passing progeny may signal the start of Dridex, redux.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today