In this week's new Malware Slack Chat, the Barkly malware research team examines the new Dridex banking trojan variant making waves since researchers announced its discovery on Tuesday. Note: the transcript below has been slightly edited.
jonathan: For anyone who isn't familiar, what is Dridex all about? How does it typically find its way onto a machine?
rick: The malware targets credential theft, mostly financials. It spread originally as malware macros + 2nd/3rd stage executable payloads.
forrest: The first stage of the attack in almost all of these campaigns is an email with an excel/word document with a malicious macro in it (for Dridex/Dyre). The macro downloads/writes out an executable to the user’s computer after they open the document, and then runs it. Once this has happened the malware can do anything it wants — attack web browser to steal banking info, search for saved passwords, log keystrokes, etc.
ryan: It reminds me of SSL, when you used to get the pop-up saying there was a problem with the certificate and you had to click to continue (almost everyone continues).
matt: People are curious. Someone will always click things you probably don’t want them to at some point, especially when there are thousands of employees.
ryan: Right. Phishing is still a very successful method for delivering this and plenty of other malware, as you only need a very small click rate to be successful. It's like banner ads — you put them everywhere and someone is bound to click.
rick: Some phishing attempts are getting pretty sophisticated, too. They can look like emails from job applicants with resumes, quotes from vendors, even faked emails from people you know.
No evidence that Dridex is doing this, but it’s pretty easy to look through LinkedIn and find a person’s contacts to see who they work with or identify someone they share a high degree of mutual connections with. It would be pretty easy to craft an effective phishing email that looks like it is coming from one of those people.
ryan: So the first-stage attack vehicle is an office macro. Is this gaining in popularity? I didn’t think it was such an issue anymore. Don’t people just disable macros?
forrest: It’s hard to say for certain how many individuals/organizations know to disable macros, but the fact is this is an ancient attack vector and AVs are still leaving this old door unguarded after all this time. There have been macro viruses since the '90s.
jonathan: So to avoid it altogether, you’re either a) hoping employees don’t open attachments; b) making it so they can’t open attachments; c) making sure macros are disabled and stay disabled; d) having endpoint protection that actually spots/stops it?
forrest: In some cases, the organization might need to enable macros and then there’s always the problem that that Matt brought up of needing just one out of 1,000 employees who will inevitably run it, anyways. To a large extent, it is a responsibility of the endpoint security to catch and prevent such an obviously suspicious and potentially malicious behavior from a macro.
ryan: Unfortunately, once macros are enabled it's often global so if you need to have macros (remember, this is a piece of functionality that is considered a feature) you are left with option 'D' (having endpoint protection that actually spots/stops it). And unfortunately ‘D’ is the same grade most endpoint solutions get at preventing this.
jonathan: What's different and interesting about this new "revamped" version of Dridex?
rick.correa: This new variant appears to add DNS poisoning. Once infected, users think they’re going to their normal banking websites, but behind the scenes they’re redirected to fake websites set up to steal credentials, including two-factor authentication credentials.
matt: Wouldn’t the use of DNS poisoning also put other people using the same DNS server in danger of being redirected as well? Not just the person originally infected with Dridex?
ryan: DNS poisoning is just happening on the infected machine. It's not taking over a corporate DNS.
forrest: Other than that, it sounds fundamentally exactly the same as the older versions as well as Dyre. Just the classic banking trojan, so similar in fact that they speculate it may have been developed by the same people.
Behaviorally speaking, having a malicious macro download and run a program (to get onto the system through the document the user opens), and then inject itself into the web browser to steal banking information are not new methods at all. They've both been around for at least a decade (macro attacks much longer). And the behavior does not seem to have fundamentally changed at all between the old Dridex and the newer ones.
rick: So Tuesday night when the article citing the IBM X-Force research was posted only 4 AVs flagged it (ESET was the only major AV), even though the malware was first seen January 6, 2016. The next morning 23/56 AVs flagged it.
I wonder if the article had not been posted, if it would had still been fairly low AV detections…
forrest: The fact only 4/56 anti-virus solutions detected it goes to show the flaw in the signature-based approach. Considering how similar this malware was to past variants and other major banking trojans it should have been generically detected. On top of that, Dridex is rated as one of the most prevalent banking trojans in the entire world. If only 4/56 AVs can detect when a new variant comes out, it's the quintessential microcosm of the problem in the industry.
ryan: The AV herd mentality.
kirk: Wow, 4/56! How long did it take with the last variant before the community had decent coverage?
ryan: I remember when we were initially looking at Dridex it was hard to find an “active” sample as the campaigns wouldn’t run very long. By the time you got a sample the main distribution/command site was already down.
kirk: So they only had about 43% coverage after 15 days.
rick: At Day 14 only 7% of AVs had coverage.
kirk: What did attackers change to make their new variant undetectable?
forrest: The campaigns we have looked at tend to be obfuscated with different crypters (or new, updated/undetected versions of existing crypters).
All that has likely changed with this new Dridex is that the macro obfuscation has changed and the crypter used to obfuscate the main executable file it drops has been updated specifically to bypass AV. There are crypter services which specifically spend their time just tinkering with their obfuscation to do that. They thoroughly test against existing AV, using services like VirusTotal.
ryan: The interesting thing is that right now it's a cat and mouse game, but the samples are morphing rapidly and the detection rate is slow to catch up until a new variation is spotted. Once that happens, the AV community can add a new signature and it's blocked again, but as an attacker you only need a small window of time to be successful.
This is the cycle AVs and their customers are stuck in. Rinse and repeat.
rick: This is interesting….the sample quoted in the article is a DLL. Dridex is generally a word document + 2nd/3rd-stage executables. I wonder if Dridex changed their MO or if this is something new…. Time for IDA Pro.
ryan: Wouldn’t it be funny if a call to arms like this is based on a false identification? Wouldn’t be the first time.
rick: Interesting — the DLL in the article is a 64-bit DLL.
kirk: So the new variant doesn’t support 32-bit Windows? Or did a prior stage figure out which version to download?
rick: I’m not sure. The prior campaigns seemed to be 32-bit. Looking into it. By the way, RE: Dridex, a friend pointed me to http://blog.dynamoo.com/ There are a few entries to January Dridex infections. I wonder if it’s the same sample...
ryan: Looks like we need to take a look and come back with our own conclusions.
Editor's note: Stay tuned for more discussion from the Barkly Malware Research team on the latest security threats and trends by subscribing to our blog.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.