Dridex first came about in late 2014 as a banking Trojan that aims to steal personal information, and subsequently gain access to bank accounts - it is derived from the infamous Zeus Trojan. It's often delivered via spam emails with malicious attachments, typically Microsoft Word or Excel documents containing malicious macros, which initiate the download of the next stage of the malware. Once executed, the Trojan gets to work harvesting user credentials and other personal information, although it has the ability to have its capabilities extended further depending on the variant. Though well over a year old, Dridex is still regularly detected.
Countercept has discovered a new variant as Alex Fletcher, Threat Hunter at Countercept explains, “A particular Dridex variant identified recently initially looked the same as previous versions. However, on closer examination it quickly became apparent that this was a new incarnation. It was initially caught using anomaly detection as a single host was identified as having a number of reflectively injected DLLs into various core processes.”
Reflective loading of DLLs is a technique used to run code directly in memory and avoid having to write a file to disk. The benefit of this is that traditional security solutions, such as anti-virus, do not see changes to the disk so the technique goes largely undetected. It has the added benefit of using a legitimate process to host the malicious code.
Alex continues, “While some legitimate software may utilise reflective DLL injection, malware and generic malicious tools commonly use this in an effort to evade traditional detection. As malware typically will try and communicate outbound to a command and control server (C&C), checking the current active connections on the system found that explorer.exe had an active connection to a server on the internet using TCP port 443. Previous analysis of Dridex highlighted the use of a registry key named “Shellfolder” of type REG_BINARY with a randomised value, and as this registry value existed, confirmed that this was a Dridex infection.
“What was interesting was that no persistence mechanism had been identified. Our analysis indicates that some newer Dridex variants will only write their persistence mechanisms on shutdown and then remove them again after start-up. To verify that this is the case, we took a disk image while the system was in a powered down state and re-investigated the system for persistence mechanism. This identified a run key in the registry and an executable written to disk to allow the malware to persist through reboots. The malware was hooking the shutdown API and generating new executables, with different hashes, upon each shutdown.”
This presents a number of issues for traditional prevention:
- Anti-virus struggles to deal with reflective loads due to code being loaded dynamically into legitimate processes without touching disk. Additionally, it is dangerous for anti-virus to terminate legitimate processes if it does detect an infection.
- Upon each rewrite to disk, the malware generates a new binary with a different hash. If anti-virus signatures fail to prevent the initial attack vector from executing, this method used by the malware will be challenging to signature the malware as it will be a different file after each reboot.
- With fewer artefacts on disk or in the registry while the system is running, it is harder to detect a compromise.
When infected the malware will quietly steal personal information, such as bank account login details. The longer the malware remains active on the system, the more time it has to collect user credentials as they access different resources. By targeting users within organisations, this could lead to the capture of business account credentials. With the correct login credentials, fraudsters could then make large transfers out of the business accounts.
Alex concludes, “By application of live memory analysis techniques across entire enterprise networks and using anomaly detection, we were able to identify activity by this new variant of malware despite it having no persistence entries or files on the disk while the system was active. Correlation of one suspicious indicator with other host, network and log data can then be used to quickly identify the source of infection, command and control channels and other malicious indicators.”