• First observed in July 2014, “Dridex,” a financial banking Trojan, is considered to be one of the successors to the “GameOver ZeuS” (GoZ) malware.
• Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016 with its peak activity in May 2016.
• On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.
• Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.
• The new Dridex infection uses svchost and spoolsrv to communicate to peers and first-layer command-and-control (C2) servers.
First observed in July 2014, “Dridex,” a financial banking Trojan, is considered to be one of the successors to the “GameOver ZeuS” (GoZ) malware. Dridex utilizes a peer-to-peer architecture to protect its command-and-control (C2) servers against detection by security researchers and law enforcement.
Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016. On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.
Image 1: The Dridex campaign metrics reveal intermittent activity since its peak in May 2016.
After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself.
A typical Dridex sample often comes through as a Word document with macros, which are downloaded and then executed. Dridex is composed of two modules; an initial module downloads the main module. Flashpoint analyzed the malware in Windows x64 architecture.
Malware Analysis: Dridex Binary
File Name: qqwed[.]exe
Size: 151416 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture: 32 Bits binary
Date: 0x58886760 [Wednesday, January 25 08:52:48 2017 UTC]
CRC: (Claimed): 0x0, (Actual): 0x27201 [Suspicious]
Entry Point: 0x40dd70 .text 0/13
Image 2: Dridex masks itself as “COMUID[.]DLL.”
Image 3: Dridex utilizes a custom packer stub that has a PDB path as “bon69[.]pbd.”The malware deletes itself from the current location and copies itself to %TEMP%.
Dridex executes the following commands:
• C:\Windows\System32\svchost[.]exe “C:\Users\%USER%\AppData\Local\Temp\dridex[.]exe”
• C:\Windows\System32\spoolsv[.]exe “C:\Users\%USER%\AppData\Local\Temp\ dridex[.]exe”
Image 4: Dridex queries user privileges and executes itself as svchost[.]exe.
Image 5: Dridex queries user privileges and executes itself as svchost[.]exe.
Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.
Windows 7 automatically elevates a hand-picked list of applications, one of them being recdisc, which further reduces the UAC dialogs a Windows user observes. These applications are referred to as being white-listed for auto-elevation. Dridex leverages this feature to bypass UAC.
The new UAC bypass method works as follows:
1. Dridex creates a directory in Windows\System32\6886.
2. Dridex copies the legitimate binary from Windows\System32\recdisc[.]exe to Windows\System32\6886\.
3. Dridex copies itself to %APPDATA%\Local\Temp as a tmp file and moves itself Windows\System32\6886\SPP[.]dll.
4. Dridex deletes any wu*.exe and po*.dll from Windows\System32.
5. Dridex executes recdisc[.]exe and loads itself as impersonated SPP[.]dll with administrative privileges.
Image 6: Dridex’s script copies the legitimate binary from Windows\system32\recdisc[.]exe to Windows\System32\6886\.
Dridex bypasses UAC by copying recdisc[.]exe into the new folder, entitled “6886,” mimicking the legitimate directory in Windows 686 for Windows x64 architecture:
copy C:\Windows\System32\recdisc[.]exe C:\Windows\System32\6886
move C:\Users\Admin\AppData\Local\Temp\G8F2[.]tmp C:\Windows\System32\6886\SPP[.]dll
move C:\Users\Admin\AppData\Local\Temp\Iq3903[.]tmp C:\Windows\System32\6886\A3hwpMKr[.]x3m
del %0 & exit
The following script executes the cmd batch file:
C:\Windows\System32\cmd[.]exe /c C:\Users\Admin\AppData\Local\Temp\3Dlej2[.]cmd del C:\Windows\System32\sysprep\wi*[.]exe del C:\Windows\System32\sysprep\po*[.]dll del %0 & exit
Dridex creates a firewall rule by allowing ICMPv4 listeners for peer-to-peer protocol communications in %AppData%\Local\Temp\:
netsh advfirewall firewall add rule name=”Core Networking – Multicast Listener Done (ICMPv4-In)” program=”C:\Windows\explorer[.]exe” dir=in action=allow protocol=TCP localport=any
del %0 & exit
Image 7: Dridex creates a custom firewall ruleset and attempts to delete files from the sysprep directory.
Dridex also communicates to peers on ports 4431-4433. In this instance, peers are other enslaved Dridex victims.
Image 8: Dridex communicates to a peer on port:4431.
Image 9: Dridex communicates to first-layer C2 via process spoolsv[.]exe.
Indicators of Compromise (IOCs)