January 31, 2017 By Douglas Bonderud 2 min read

In 2014 and 2015, Dridex ruled the banking malware world as one of the most popular Gameover Zeus (GOZ) successors. But security professionals got wise, cracked down and largely eradicated the malicious code.

According to Softpedia, however, researchers have detected a number of small-scale phishing attacks carrying a new variant of the old standby. Is this a dry run for Dridex, redux?

What’s Old Is New Again

In some respects, the new version of old code doesn’t stray too far from the original model. It still monitors traffic to banking sites, collects login credentials and steals account information.

It also defends its command-and-control (C&C) servers from deletion by using peer-to-peer (P2P) architecture. This makes it difficult for security analysts to pin down command origins and forces them to simply defeat the code in each instance.

As noted by Threatpost, however, there are some new additions. First, Dridex is going small scale and only spear phishing users in the U.K. with email attachments that claim to be tax documents or electronic fax confirmations. Needless to say, the attachments contain macros that drop the initial malware package.

Elevated Privileges

Here’s where the malware starts to ramp up by leveraging a method to bypass the Windows 7 User Account Control (UAC) and gain automatic privilege elevation. The malware creates a new directory at Windows\System32\6886 and then copies a legitimate binary of redsic, a disk recovery service that is granted automatic whitelisting and privileges, into the new folder.

Next, it copies itself several times to land in the same folder and starts deleting any wu*.exe and po*.dll files from System32. Finally, it executes recdisc.exe and loads itself as an impersonated SPP.dll with admin authority.

Once recdisc.exe is copied into the new folder, UAC is no longer an issue. This enables the malware to create a new firewall rule for ICMPv4 listeners for P2P communications.

The new version of this banking malware has total access to infected systems. As noted by Live Bitcoin News, it also often goes unnoticed, since Windows classifies recdisc.exe and its associated processes as trusted applications.

Dridex Redux?

So far, infections have been confined to the U.K. and those observed have been smaller than in years past. Security researchers are worried, however, that this is simply a testing phase. Once the malware-makers know they’ve got a quality product on their hands, they’ll likely ramp up the number of attacks.

Consider the recent development of a new Android banking Trojan, Android.BankBot, which was developed using the leaked source code of another Android attack. As noted by Bleeping Computer, the leak may have been an attempt to crowdsource better code. While some malicious actors who reuse code are simply looking for a quick fix, others find ways to improve the basic structure and create stronger, faster and more dangerous iterations.

Given that Dridex is a “very modular Trojan,” Flashpoint senior intelligence analyst Vitali Kremez told Threatpost, it seems likely that a combination of successful test runs and crowdsourced coordination could give this malware the push it needs to become a two-time banking threat leader.

The bottom line is that Dridex is back. It can’t compete with its previous popularity just yet, but given the limited test run and its customizable nature, this UAC-passing progeny may signal the start of Dridex, redux.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today