{"id":82419,"date":"2016-03-25T14:23:11","date_gmt":"2016-03-25T08:53:11","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=82382"},"modified":"2016-03-30T19:31:46","modified_gmt":"2016-03-30T14:01:46","slug":"report-the-dridex-trojan-is-back","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/report-the-dridex-trojan-is-back\/","title":{"rendered":"Report: The Dridex Trojan is Back"},"content":{"rendered":"

\u201cDridex\u201d, also known as \u2018Buget\u2019, is the successor of \u201cCridex\u201d, a banking Trojan created for stealing victim credentials. After its takedown by the US Government in late 2015, the malware has come up with new versions and techniques. This report aims to provide detailed insights into the infection vector of Dridex, its behavior, work flow and the precautions users must exercise against this malware.<\/p>\n

Infection Vector<\/span><\/p>\n

Dridex infiltrates the victim’s machine via spam emails containing malicious attachments. The attachment is a macro-based .doc or .xls file. As the victim opens the attached file, the embedded macro downloads the next payload without the user’s consent. As Microsoft has disabled macros from Office 2007, the malware provides guidelines to enable the same. Also, the same family uses known vulnerabilities in MS Office like CVE-2012-0158 to spread the infection.<\/p>\n

 <\/p>\n

\"Spam<\/a>
Figure 01 – Spam email with malicious attachment<\/figcaption><\/figure>\n

Structure of the Macro<\/span><\/p>\n

Malware authors have been increasingly making using of macro to propagate malware due to its high rate of success. Macro used for this purpose are highly obfuscated to evade AV detection and to make its analysis difficult. The images below show some of the obfuscation techniques used by malware.<\/p>\n

Code Obfuscation Technique 1<\/span><\/p>\n

\"Figure<\/a>
Figure 02 – Obfuscation technique 1 – Uses decimals instead of characters<\/figcaption><\/figure>\n

Code Obfuscation Technique 2<\/span><\/p>\n

\"Figure<\/a>
\u00a0 Figure 03 \u2013 Obfuscation technique 2<\/figcaption><\/figure>\n

 <\/p>\n

In this technique, the malware stores the encrypted bytes in an array which is passed to the custom decryption routine. It uses different seed values to decrypt these bytes. After this decryption, it comes with a URL which points to the next downloadable payload of the infection chain.<\/p>\n

Format of the URL<\/span><\/p>\n

\"Figure<\/a>
Figure 04 – Downloadable URL<\/figcaption><\/figure>\n

 <\/p>\n

\"Figure<\/a>
Figure 05 \u2013 Request header<\/figcaption><\/figure>\n

Once the connection is established, it downloads the file into %temp%\/. The file name is present in the macro itself. The downloaded file is the dropper of Dridex.<\/p>\n

Hosting Dridex<\/span><\/p>\n

The following figure shows the Dridex-hosting countries.<\/p>\n

 <\/p>\n

\"Figure<\/a>
Figure 06 – Dridex hosting countries<\/figcaption><\/figure>\n

Workflow of Dridex<\/span><\/p>\n

Malware authors of Dridex regularly update the internals to evade AV detection and keep the infection persistent. The following figure shows the workflow of Dridex.<\/p>\n

 <\/p>\n

\"Figure<\/a>
Figure 07 – Worklow of Dridex<\/figcaption><\/figure>\n

 <\/p>\n