“Hola amigos” – Dridex Returns Again

What is Dridex?

Dridex is a Trojan that specialises in stealing banking credentials from users. The malware is typically delivered via malicious email attachments which contain macros that will download the Dridex payload. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

 

Dridex Going Dark

Dridex is potentially linked to the Necurs botnet which was used to deliver the emails containing the malicious documents that would infect users with malware. Late evening on 31st May 2016 the Necurs Command and Control (C&C) servers went offline which correlated with a drop in distribution of the Dridex Banking Trojan. The reason for this is still unknown however one theory is that someone involved with the Necurs botnet was arrested by Russian authorities when the gang behind the Lurk malware caught.

 

The Return (again)

Since then Dridex has reappeared a number of times often being described a returning “with a vengeance”. Towards the end of January 2017 Dridex returned again, with a vengeance, this time targeting British Financial Institutions. As before this version of Dridex is delivered through targeted phishing campaigns however this latest variant contains a dangerous new feature –a User Account Control (UAC) Bypass. Dridex now makes use of the Windows default recovery disc executable (recdisc.exe) to load malicious code by using a fake DLL file. This executable is on the list of whitelisted applications and is automatically given elevated privileges meaning that this new version of Dridex can act with these elevated permissions.

The following are the steps Dridex takes following infection:

  • Dridex makes itself a directory at Windows\System32\6886 and copies the legitimate recdisc.exe file to this folder.
  • The malware payload is then copied to the %APPDATA%\Local\Temp folder and is renamed to a TMP file. This file is then copied into the Windows\System32\6886 folder with the filename SPP.dll.
  • The malware then executes a command to deleted any files that match the following patterns – wu*.exe and po*.exe in the System32 folder.
  • Now recdisc.exe is executed causing the Dridex payload to load itself through the impersonated DLL SPP.dll. Dridex is now operating with administrative privileges.
  • At this point a new firewall rule is added which allows Dridex to connect out and for P2P traffic to flow into the internal network.