Dridex, a banking malware which attempts to steal the victim's banking credentials and system information, continues to remain active in the wild after the recent takedown attempt. Dridex activity went down significantly in September after the takedown operation but we started seeing an uptick in the number of samples in our sandboxes starting early October 2015. Dridex is distributed via e-mail with a Microsoft Office attachment that leads to the download and installation of the Dridex Trojan executable. The e-mail attachments in these campaigns varied from regular Microsoft Office document files to MHTML files as seen in Figure 1.
|Figure 1: Malicious document sent in MHTML format|
MHTML, also known as MIME HTML, is a web page archive format used to combine in a single document the HTML code and its companion resources that are otherwise represented by external links (such as images, Flash animations, Java applets, and audio files). The malware authors are known to send the documents containing malicious macro in MHTML format to evade antivirus detection. The content of the embedded macro was both obfuscated and protected using a basic password that is intended to prevent modification of the macros. We were able to bypass the password protection and extract the various document components by standard means. Figure 2 shows an example embedded malicious macro that downloads the Dridex executable from a predetermined server:
|Figure 2: Embedded malicious macro to download Dridex|
The samples we are seeing in these new campaigns are a mix of unsigned as well as some digitally signed using valid certificates. The format of the URLs hosting the signed Dridex samples changed to 195.37.231[.]2:8080/uniq/load[.]php instead of previously seen URL format 94.250.252[.]13/bt/bt/stata[.]php The Dridex executable downloaded by above macro (Figure 2) appears to be packaged using a custom packer. This instance of the Dridex Trojan is signed using a certificate with the common name of “Favorite-III” which appears specific to the Dridex malware and which is currently also present in Comodo’s Certificate Revocation List.
|Figure 3: Dridex Certificate issued with CN Favorite-III|
We also saw following additional certificates used to sign the newer Dridex executables:
The following are some recent URLs from which Dridex executables were downloaded:
The following are some MD5 sums of signed and unsigned Dridex executables that we have encountered in past month: Signed 82BB00DCAC6411669CE6AE5A60CBB3B3 9D4225ECDCDA7FE9A5EAE48601919114 2485C741AF50DE986079B6AD9B6C948A 290CD720AECF28773960C8E41172513C 1C21AEB3DC0E30E05630A3F61AAE83F9 0DA24BD7B49A955D8E4624371CCB8E9F AFADE4E50D147A1FE18ACA8942E3E679 Unsigned 1DE3889FDE95E695ADF6EADCB4829C6D D7A31449E5F808FDBA0F6D3CF0D6E91C 7519F0D9D5C3B8D072FFCA7DDF213DDA F2D6DEC39DAEF7ED90AAABB725590B02 Following are the statistics of Dridex executable downloads that we have seen in past six weeks:
Dridex infections went down considerably after the global takedown operation but we are starting to see a steady increase in the infections this month, which indicates the malware gang's attempt at resurrecting this highly lucrative Botnet. The authors continue to use the tactic of digitally signed malware executable to evade detection with legitimate certificates created specifically for this purpose. Zscaler ThreatLabZ is actively monitoring this Botnet and ensuring that Zscaler customers are protected. Research by Tarun Dewan and Nirmal Singh