IT-Sicherheitsexperten waren sich bewusst über Dridex Banking-Trojaner seit 2014 und es ist immer noch eines der modernsten Malware in seiner Kategorie.
Development of this malware continues to this day: neue Versionen der Trojan erscheinen regelmäßig, mit periodischer Freisetzung großen Updates.Anfang Juni 2019, independent security expert Brad Duncan entdeckt a new version of Dridex, which used Application Whitelisting to block or disable Windows Script Host elements. eigentlich, this means that the abuse of WMI (WMIC) allows Malvare to use XLS scripts and bypass the defense mechanisms.
“Of note, the Dridex DLL files are 64-bit DLLs using file names that are loaded by legitimate Microsoft Windows system EXEs. These file paths, file names, and associated SHA256 hashes change every time the victim logs onto the infected Windows host”, — reported Brad Duncan.
Now a more detailed report on the new version of the Trojan was released by experts of the company eSentire. Researchers write that initially, when a sample was loaded onto VirusTotal, nur 6 aus 60 protective solutions “detected” malware in Dridex. Ab Juli 2, 2019, the number of detections increased to 46 aus 60.
Analysts at eSentire write that a new variation of Dridex is distributed through spam emails with malicious attachments. These documents contain malicious macros, which can be triggered by various interactions with the victim (it all depends on the specific system environment).
“The malware targets banking information on the victim system. Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption”, — reported eSentire specialists.
Experts warn that many antivirus solutions may detect suspicious behavior of Dridex, but will not be able accurately determine the problem. Given the constant changes that occur in the Trojan infrastructure, signature-based antivirus software may be useless against Dridex.
Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within.
