Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

DRIDEX Avoiding Detection In The Finance Industry

DRIDEX Avoiding Detection In The Finance Industry

DRIDEX Avoiding Detection In The Finance Industry

If you don’t know already, DRIDEX is an online banking malware that steals personal information through HTML injections. It's main target are customers of financial/banking institutions based in Europe. Identified around November 2014, DRIDEX is considered to be the direct successor of online banking malware CRIDEX. With its new techniques and routines it avoids detection.

With the ability to bypass Windows User Account Control (UAC) researchers said they have seen small phishing and spear-phishing campaigns targeting specific recipients with messages containing macros in document attachments that download DRIDEX. The attachments purport to be tax documents or electronic fax confirmations. The campaigns are smaller than previous DRIDEX campaigns that infected millions of machines.

How It Works

Once systems are infected, the UAC bypass allows the malware to execute without a user having to allow the behaviour. The UAC bypass is characterised by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via a impersonated SPP[.]dll, according to a technical analysis of the malware.

The DRIDEX malware consists of two modules:

  1. There is the initial dropper module that downloads the main one. Post the initial infection, DRIDEX goes on the move by deleting itself from its initial download directory after copying itself to the Windows system %TEMP% directory
  2. Here DRIDEX executes commands that copies the recdisc[.]exe binary from Windows\System32\recdisc[.]exe and loads it into a new directory it creates called Windows\System32\6886

There are certain default binaries and applications that are stored in the System32 directory on a typical Windows system. Those applications are whitelisted for automatic elevation. What that means is that Windows needs those applications to run at the highest possible privileges. So, those applications are not required to ask the user ‘do you want to run this application'.

This allows DRIDEX, and functions associated with it, to run silently on targeted PCs within the Windows\System32\6886 directory. According to Windows at this stage DRIDEX is deemed as a trusted application with the highest privileges in Window’s protocol.

The Next Phase

The next phase of a DRIDEX attack includes creating a firewall rule by allowing ICMPv4 listeners for peer-to-peer protocol communications on ports 4431-4433. In this instance, peers are other enslaved DRIDEX victims.

As with previous campaigns, DRIDEX exhibits typical behaviour of monitoring a victim’s traffic to bank sites and stealing login and account information.

This malware will take advantage of opportunities as they present themselves, like harvesting credentials, cookies and saved passwords. Attackers may also establish a remote desktop protocol module and attempt further network penetration laterally moving across the Network.

Affected Systems

The attack works against fully patched Windows 10 and previous Windows versions.

Statistics of Malware (2016)

New Malware Variants

Email Malware by Industry
Sourced from Symantec (2017)