Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Dridex Banking Trojan Returns, Leverages New UAC Bypass Method

Dridex Banking Trojan Returns, Leverages New UAC Bypass Method

Cybercrime

Key Takeaways

• First observed in July 2014, “Dridex,” a financial banking Trojan, is considered to be one of the successors to the “GameOver ZeuS” (GoZ) malware.

• Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016 with its peak activity in May 2016.

• On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.

• Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.

• The new Dridex infection uses svchost and spoolsrv to communicate to peers and first-layer command-and-control (C2) servers.

Background

First observed in July 2014, “Dridex,” a financial banking Trojan, is considered to be one of the successors to the “GameOver ZeuS” (GoZ) malware. Dridex utilizes a peer-to-peer architecture to protect its command-and-control (C2) servers against detection by security researchers and law enforcement.

Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016. On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.

Image 1: The Dridex campaign metrics reveal intermittent activity since its peak in May 2016.

Image 1: The Dridex campaign metrics reveal intermittent activity since its peak in May 2016.

After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself.

A typical Dridex sample often comes through as a Word document with macros, which are downloaded and then executed. Dridex is composed of two modules; an initial module downloads the main module. Flashpoint analyzed the malware in Windows x64 architecture.

Malware Analysis: Dridex Binary

File Name: qqwed[.]exe
Size: 151416 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture: 32 Bits binary
MD5: 6233778c733daa00ce5b9b25aae0a3cb
SHA1: 1bfd0ac86f1bf52a5e8814dafb4a9bc4d3628384
imphash: 30bfdcbc94be82c2c3c0553cfa62aa50
Date: 0x58886760 [Wednesday, January 25 08:52:48 2017 UTC]
Language: English
CRC: (Claimed): 0x0, (Actual): 0x27201 [Suspicious]
Entry Point: 0x40dd70 .text 0/13

Image 2: Dridex masks itself as “COMUID[.]DLL.”

Image 2: Dridex masks itself as “COMUID[.]DLL.”

Image 3: Dridex utilizes a customer packer stub that has a PDB path as “bon69[.]pbd.”

Image 3: Dridex utilizes a custom packer stub that has a PDB path as “bon69[.]pbd.”The malware deletes itself from the current location and copies itself to %TEMP%.

Dridex executes the following commands:

• C:\Windows\System32\svchost[.]exe “C:\Users\%USER%\AppData\Local\Temp\dridex[.]exe”

• C:\Windows\System32\spoolsv[.]exe “C:\Users\%USER%\AppData\Local\Temp\ dridex[.]exe”

Image 4: Dridex queries user privileges and executes itself as svchost[.]exe.

Image 4: Dridex queries user privileges and executes itself as svchost[.]exe.

Image 5: Dridex queries user privileges and executes itself as svchost[.]exe.

Image 5: Dridex queries user privileges and executes itself as svchost[.]exe.

Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.

Windows 7 automatically elevates a hand-picked list of applications, one of them being recdisc, which further reduces the UAC dialogs a Windows user observes. These applications are referred to as being white-listed for auto-elevation. Dridex leverages this feature to bypass UAC.

The new UAC bypass method works as follows:

1. Dridex creates a directory in Windows\System32\6886.

2. Dridex copies the legitimate binary from Windows\System32\recdisc[.]exe to Windows\System32\6886\.

3. Dridex copies itself to %APPDATA%\Local\Temp as a tmp file and moves itself Windows\System32\6886\SPP[.]dll.

4. Dridex deletes any wu*.exe and po*.dll from Windows\System32.

5. Dridex executes recdisc[.]exe and loads itself as impersonated SPP[.]dll with administrative privileges.

Image 6: Dridex’s script copies the legitimate binary from Windows\system32\recdisc[.]exe to Windows\System32\6886\.

Image 6: Dridex’s script copies the legitimate binary from Windows\system32\recdisc[.]exe to Windows\System32\6886\.

Dridex bypasses UAC by copying recdisc[.]exe into the new folder, entitled “6886,” mimicking the legitimate directory in Windows 686 for Windows x64 architecture:

C:\Windows\System32\6886
copy C:\Windows\System32\recdisc[.]exe C:\Windows\System32\6886
move C:\Users\Admin\AppData\Local\Temp\G8F2[.]tmp C:\Windows\System32\6886\SPP[.]dll
move C:\Users\Admin\AppData\Local\Temp\Iq3903[.]tmp                         C:\Windows\System32\6886\A3hwpMKr[.]x3m
del %0 & exit

The following script executes the cmd batch file:

C:\Windows\System32\cmd[.]exe /c C:\Users\Admin\AppData\Local\Temp\3Dlej2[.]cmd del C:\Windows\System32\sysprep\wi*[.]exe del C:\Windows\System32\sysprep\po*[.]dll del %0 & exit

Dridex creates a firewall rule by allowing ICMPv4 listeners for peer-to-peer protocol communications in %AppData%\Local\Temp\:

netsh advfirewall firewall add rule name=”Core Networking – Multicast Listener Done (ICMPv4-In)” program=”C:\Windows\explorer[.]exe” dir=in action=allow protocol=TCP localport=any
del C:\Windows\System32\sysprep\wi*.exe
del C:\Windows\System32\sysprep\po*.dll
del %0 & exit

Image 7: Dridex creates a custom firewall ruleset and attempts to delete files from the sysprep directory.

Image 7: Dridex creates a custom firewall ruleset and attempts to delete files from the sysprep directory.

Dridex also communicates to peers on ports 4431-4433. In this instance, peers are other enslaved Dridex victims.

Image 8: Dridex communicates to a peer on port:4431.

Image 8: Dridex communicates to a peer on port:4431.

Image 9: Dridex communicates to first-layer C2 via process spoolsv[.]exe.

Image 9: Dridex communicates to first-layer C2 via process spoolsv[.]exe.

Indicators of Compromise (IOCs)

Dridex MD5:
6233778c733daa00ce5b9b25aae0a3cb

Payload:
hxxp://1fevh[.]top/fiscal/

First-Layer C2:
81[.]130[.]131[.]55: 8443
179[.]177[.]114[.]30:8443
84[.]234[.]75[.]108:8443

 

 

 

 

About the author: Vitali Kremez

Vitali is a Director of Research at Flashpoint who specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents mainly emanating from the Eastern European cybercriminal ecosystem. He has earned the majority of major certifications available in the information technology, information security, and digital forensics fields. Previously, Vitali enjoyed a successful career as a Cybercrime Investigative Analyst for the New York County District Attorney's Office partnering with the United States Secret Service, the Federal Bureau of Investigation, the Department of Homeland Security, Royal Canadian Mounted Police, City of London (UK) Police, New York Police Department, and Spanish Civil Guardia. His work helped the New York County District Attorney's Office and other offices deliver successful indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft.