1 July 2019

New Dridex malware strain evades traditional antivirus software

New Dridex malware strain evades traditional antivirus software

Malware authors behind the Dridex banking Trojan have been busy with constantly updating their software with new capabilities and attack vectors. In the past month security researchers have spotted two new strains of malware - one of them is capable of bypassing mitigation of application whitelisting techniques by disabling or blocking Windows Script Host, while the second variant uses new obfuscation method that allows it to slip by anti-virus detection.

Dridex is a well-known Trojan which specializes in the theft of online banking credentials. Dridex first appeared as Cridex in 2011 and since then has undergone a series of transformations, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.

Recently, researchers at eSentire detected fishing emails that distributed a new Dridex strain that uses file signatures that are harder to detect allowing the malware to evade detection when on infected systems.

“At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior,” said the researchers adding that by June 27, the number of active detections has increased to 16 out of 60.

The malware is being delivered to victims via fishing document with embedded macros. Once it downloaded on the system Dridex starts searching for banking information. One of the most notable changes in the new variant is the use of technique aimed at avoiding detection by installed on the system anti-virus solutions.

Anti-virus software mainly rely on file signatures (MD5 or SHA256 hashes) to detect malicious files. Dridex leverages newly created and signed 64-bit dynamic link libraries (DLLs), which have different file signatures from previous versions that have been detected by anti-virus software in the past.

“These DLLs are side loaded via legitimate MS Windows binaries, making them appear to be part of a legitimate software product, and thus more difficult to detect,” explained the researchers.

Indicators of Compromise (IOCs) can be found in the company blog here.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019