Dridex, a banking malware which attempts to steal the victim's banking credentials and system information, continues to remain active in the wild after the recent takedown attempt. Dridex activity went down significantly in September after the takedown operation but we started seeing an uptick in the number of samples in our sandboxes starting early October 2015.
Dridex is distributed via e-mail with a Microsoft Office attachment that leads to the download and installation of the Dridex Trojan executable. The e-mail attachments in these campaigns varied from regular Microsoft Office document files to MHTML files as seen in Figure 1.
|Figure 1: Malicious document sent in MHTML format|
MHTML, also known as MIME HTML, is a web page archive format used to combine in a single document the HTML code and its companion resources that are otherwise represented by external links (such as images, Flash animations, Java applets, and audio files). The malware authors are known to send the documents containing malicious macro in MHTML format to evade antivirus detection.
The content of the embedded macro was both obfuscated and protected using a basic password that is intended to prevent modification of the macros. We were able to bypass the password protection and extract the various document components by standard means.
Figure 2 shows an example embedded malicious macro that downloads the Dridex executable from a predetermined server:
|Figure 2: Embedded malicious macro to download Dridex|
The samples we are seeing in these new campaigns are a mix of unsigned as well as some digitally signed using valid certificates. The format of the URLs hosting the signed Dridex samples changed to 195.37.231[.]2:8080/uniq/load[.]php instead of previously seen URL format 94.250.252[.]13/bt/bt/stata[.]php
The Dridex executable downloaded by above macro (Figure 2) appears to be packaged using a custom packer. This instance of the Dridex Trojan is signed using a certificate with the common name of “Favorite-III” which appears specific to the Dridex malware and which is currently also present in Comodo’s Certificate Revocation List.
|Figure 3: Dridex Certificate issued with CN Favorite-III|
We also saw following additional certificates used to sign the newer Dridex executables:
The following are some recent URLs from which Dridex executables were downloaded:
The following are some MD5 sums of signed and unsigned Dridex executables that we have encountered in past month:
Following are the statistics of Dridex executable downloads that we have seen in past six weeks:
Dridex infections went down considerably after the global takedown operation but we are starting to see a steady increase in the infections this month, which indicates the malware gang's attempt at resurrecting this highly lucrative Botnet. The authors continue to use the tactic of digitally signed malware executable to evade detection with legitimate certificates created specifically for this purpose.
Zscaler ThreatLabZ is actively monitoring this Botnet and ensuring that Zscaler customers are protected.
Research by Tarun Dewan and Nirmal Singh