The Dridex Banking Trojan Hits Again

The infamous banking Trojan Dridex has returned with a new wave of attack campaigns and a slightly updated version. Continue reading to find out more about the new iteration.

Dridex Strikes Once More

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The infamous and feared Dridex malware has been identified in a new attack campaign that targets British Financial Institutions. The alarming fact is that these companies are not only targeted by the virus, but that the attack campaign carries a modified and updated version. Experts from Flashpoint Security identified the threat hiding in a phishing campaign that targets a predefined list of targets. The modified version infects via dangerous macros that are places in documents. Various social engineering tricks are used to make the victim enable the malicious macros which downloads the Dridex malware.

The new version features a dangerous new capability – a User User Account Control (UAC) Bypass. It uses the Windows default recovery disc executable (recdisc.exe) which loads malicious code using an impersonated DLL file. This application is automatically elevated when run in the Windows 7 operating system. This makes it difficult to observe, as it is placed in the whitelist of applications.

Dridex Infection Behavior Pattern

Upon target execution of the macros Dridex is introduced to the system via the following infection behavior pattern:

  1. Dridex creates a directory in the Windows\System32\6886 folder and copies the legitimate recdisc binary to this location.

  2. The malware is then copied to the %APPDATA%\Local\Temp where it is renamed as a TMP file. After this is done the resulting file is copied as Windows\System32\6886\SPP.dll.

  3. After this is done the malware deletes any files that are associated with the following file names – wu*.exe and po*.dll files in the System32 folder.

  4. Dridex executes the recdisc.exe binary and loads itself using the impersonated SPP.dll file. At this point it has elevated administrative privileges.

  5. The UAC Bypass is activated and the malicious script engine adds a new firewall rule which allows Dridex network P2P traffic to flow from the Internet to the internal network.

We have already received reports of infected hosts that have been infected by the threat. The virus is extremely dangerous – it is able to steal online banking accounts, other account credentials and other sensitive information. To learn more about the malware you can read our previous article about the dangerous virus. We recommend that everyone use a trusted anti-spyware software to safeguard their computers and remove infections from affected hosts.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *