Information security professionals op de hoogte waren over Dridex banking trojan sinds 2014 en het is nog steeds een van de meest geavanceerde malware in zijn categorie.
Development of this malware continues to this day: nieuwe versies van de Trojan verschijnen regelmatig, met periodieke release van grote updates.begin juni 2019, independent security expert Brad Duncan ontdekt a new version of Dridex, which used Application Whitelisting to block or disable Windows Script Host elements. eigenlijk, this means that the abuse of WMI (WMIC) allows Malvare to use XLS scripts and bypass the defense mechanisms.
“Of note, the Dridex DLL files are 64-bit DLLs using file names that are loaded by legitimate Microsoft Windows system EXEs. These file paths, file names, and associated SHA256 hashes change every time the victim logs onto the infected Windows host”, — reported Brad Duncan.
Now a more detailed report on the new version of the Trojan was released by experts of the company eSentire. Researchers write that initially, when a sample was loaded onto VirusTotal, enkel en alleen 6 van 60 protective solutions “detected” malware in Dridex. Vanaf juli 2, 2019, the number of detections increased to 46 van 60.
Analysts at eSentire write that a new variation of Dridex is distributed through spam emails with malicious attachments. These documents contain malicious macros, which can be triggered by various interactions with the victim (it all depends on the specific system environment).
“The malware targets banking information on the victim system. Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption”, — reported eSentire specialists.
Experts warn that many antivirus solutions may detect suspicious behavior of Dridex, but will not be able accurately determine the problem. Given the constant changes that occur in the Trojan infrastructure, signature-based antivirus software may be useless against Dridex.
Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within.
