January 31, 2017 By Douglas Bonderud 2 min read

In 2014 and 2015, Dridex ruled the banking malware world as one of the most popular Gameover Zeus (GOZ) successors. But security professionals got wise, cracked down and largely eradicated the malicious code.

According to Softpedia, however, researchers have detected a number of small-scale phishing attacks carrying a new variant of the old standby. Is this a dry run for Dridex, redux?

What’s Old Is New Again

In some respects, the new version of old code doesn’t stray too far from the original model. It still monitors traffic to banking sites, collects login credentials and steals account information.

It also defends its command-and-control (C&C) servers from deletion by using peer-to-peer (P2P) architecture. This makes it difficult for security analysts to pin down command origins and forces them to simply defeat the code in each instance.

As noted by Threatpost, however, there are some new additions. First, Dridex is going small scale and only spear phishing users in the U.K. with email attachments that claim to be tax documents or electronic fax confirmations. Needless to say, the attachments contain macros that drop the initial malware package.

Elevated Privileges

Here’s where the malware starts to ramp up by leveraging a method to bypass the Windows 7 User Account Control (UAC) and gain automatic privilege elevation. The malware creates a new directory at Windows\System32\6886 and then copies a legitimate binary of redsic, a disk recovery service that is granted automatic whitelisting and privileges, into the new folder.

Next, it copies itself several times to land in the same folder and starts deleting any wu*.exe and po*.dll files from System32. Finally, it executes recdisc.exe and loads itself as an impersonated SPP.dll with admin authority.

Once recdisc.exe is copied into the new folder, UAC is no longer an issue. This enables the malware to create a new firewall rule for ICMPv4 listeners for P2P communications.

The new version of this banking malware has total access to infected systems. As noted by Live Bitcoin News, it also often goes unnoticed, since Windows classifies recdisc.exe and its associated processes as trusted applications.

Dridex Redux?

So far, infections have been confined to the U.K. and those observed have been smaller than in years past. Security researchers are worried, however, that this is simply a testing phase. Once the malware-makers know they’ve got a quality product on their hands, they’ll likely ramp up the number of attacks.

Consider the recent development of a new Android banking Trojan, Android.BankBot, which was developed using the leaked source code of another Android attack. As noted by Bleeping Computer, the leak may have been an attempt to crowdsource better code. While some malicious actors who reuse code are simply looking for a quick fix, others find ways to improve the basic structure and create stronger, faster and more dangerous iterations.

Given that Dridex is a “very modular Trojan,” Flashpoint senior intelligence analyst Vitali Kremez told Threatpost, it seems likely that a combination of successful test runs and crowdsourced coordination could give this malware the push it needs to become a two-time banking threat leader.

The bottom line is that Dridex is back. It can’t compete with its previous popularity just yet, but given the limited test run and its customizable nature, this UAC-passing progeny may signal the start of Dridex, redux.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today