Malware authors behind the Dridex banking Trojan have been busy with constantly updating their software with new capabilities and attack vectors. In the past month security researchers have spotted two new strains of malware - one of them is capable of bypassing mitigation of application whitelisting techniques by disabling or blocking Windows Script Host, while the second variant uses new obfuscation method that allows it to slip by anti-virus detection.
Dridex is a well-known Trojan which specializes in the theft of online banking credentials. Dridex first appeared as Cridex in 2011 and since then has undergone a series of transformations, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.
Recently, researchers at eSentire detected fishing emails that distributed a new Dridex strain that uses file signatures that are harder to detect allowing the malware to evade detection when on infected systems.
“At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior,” said the researchers adding that by June 27, the number of active detections has increased to 16 out of 60.
The malware is being delivered to victims via fishing document with embedded macros. Once it downloaded on the system Dridex starts searching for banking information. One of the most notable changes in the new variant is the use of technique aimed at avoiding detection by installed on the system anti-virus solutions.
Anti-virus software mainly rely on file signatures (MD5 or SHA256 hashes) to detect malicious files. Dridex leverages newly created and signed 64-bit dynamic link libraries (DLLs), which have different file signatures from previous versions that have been detected by anti-virus software in the past.
“These DLLs are side loaded via legitimate MS Windows binaries, making them appear to be part of a legitimate software product, and thus more difficult to detect,” explained the researchers.
Indicators of Compromise (IOCs) can be found in the company blog here.