Security researchers from Forcepoint have discovered a new variant of the Dridex malware.
The New Dridex Malware Variant Has Updated Stealth Protection Features
The Dridex malware continues to be developed and improved. Experts from the security vendor Forcepoint have identified a new variant of the malware that has improved features. Dridex now can target crypto wallets on the victim computers and has improved stealth protection capabilities which defend against security software solutions.
The operators of Dridex have created custom profiles of some commercial sandboxes and virtual machines used by researchers that blacklist these devices. This is a countermeasure against security research that extracts the malware code in automated analysis. Additional code has been implemented in Dridex which allows the criminal operators to create a profile of the victim system. This is done to scan for any sensitive files that can be used for blackmailing purposes or financial gain.
The developers have also modified parts of the XML structure which complicate the binary structure. And while these mechanisms have been placed to safeguard the malware from inspection, the security staff at Forcepoint has stated that it is possible to recover the settings configuration files from the core module.
Dridex is one of the most popular banking Trojans that have been used in a variety of attacks against financial institutions, users, and large companies. It is distributed mainly by scam emails that employ spam tactics or social engineering. Dridex is attached to the fraud messages or sent as a link. One of the most notable attacks with the malware happened last year in the United Kingdom. GCHQ reported that a hitlist of 385 million addresses had been issued with the threat.
Most anti-virus solutions have added definitions for Dridex and are expected to issue an update that also includes the newest variant. To counter the threat users are also advised to use two-factor authentication for their sensitive services such as online banking when those are available.
