Dridex Redux? Small-Scale Attacks Suggest Potential Compromise Comeback

January 31, 2017 @ 11:30 AM
| |
2 min read

In 2014 and 2015, Dridex ruled the banking malware world as one of the most popular Gameover Zeus (GOZ) successors. But security professionals got wise, cracked down and largely eradicated the malicious code.

According to Softpedia, however, researchers have detected a number of small-scale phishing attacks carrying a new variant of the old standby. Is this a dry run for Dridex, redux?

What’s Old Is New Again

In some respects, the new version of old code doesn’t stray too far from the original model. It still monitors traffic to banking sites, collects login credentials and steals account information.

It also defends its command-and-control (C&C) servers from deletion by using peer-to-peer (P2P) architecture. This makes it difficult for security analysts to pin down command origins and forces them to simply defeat the code in each instance.

As noted by Threatpost, however, there are some new additions. First, Dridex is going small scale and only spear phishing users in the U.K. with email attachments that claim to be tax documents or electronic fax confirmations. Needless to say, the attachments contain macros that drop the initial malware package.

Elevated Privileges

Here’s where the malware starts to ramp up by leveraging a method to bypass the Windows 7 User Account Control (UAC) and gain automatic privilege elevation. The malware creates a new directory at Windows\System32\6886 and then copies a legitimate binary of redsic, a disk recovery service that is granted automatic whitelisting and privileges, into the new folder.

Next, it copies itself several times to land in the same folder and starts deleting any wu*.exe and po*.dll files from System32. Finally, it executes recdisc.exe and loads itself as an impersonated SPP.dll with admin authority.

Once recdisc.exe is copied into the new folder, UAC is no longer an issue. This enables the malware to create a new firewall rule for ICMPv4 listeners for P2P communications.

The new version of this banking malware has total access to infected systems. As noted by Live Bitcoin News, it also often goes unnoticed, since Windows classifies recdisc.exe and its associated processes as trusted applications.

Dridex Redux?

So far, infections have been confined to the U.K. and those observed have been smaller than in years past. Security researchers are worried, however, that this is simply a testing phase. Once the malware-makers know they’ve got a quality product on their hands, they’ll likely ramp up the number of attacks.

Consider the recent development of a new Android banking Trojan, Android.BankBot, which was developed using the leaked source code of another Android attack. As noted by Bleeping Computer, the leak may have been an attempt to crowdsource better code. While some malicious actors who reuse code are simply looking for a quick fix, others find ways to improve the basic structure and create stronger, faster and more dangerous iterations.

Given that Dridex is a “very modular Trojan,” Flashpoint senior intelligence analyst Vitali Kremez told Threatpost, it seems likely that a combination of successful test runs and crowdsourced coordination could give this malware the push it needs to become a two-time banking threat leader.

The bottom line is that Dridex is back. It can’t compete with its previous popularity just yet, but given the limited test run and its customizable nature, this UAC-passing progeny may signal the start of Dridex, redux.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more