Dridex, the most infamous banking trojans of them all, has received a major upgrade in the month of May, which security researchers say would allow it to bypass security software with greater ease.
For the past few years, Dridex has been one of the most active cyber-crime infrastructures on the planet, the group behind this operation building several botnets through which they deliver their malware, exfiltrate funds, hide illegal transactions, and spam users, with both the Dridex malware and the Locky ransomware.
Dormant Dridex makes a comeback
There have been several security firms that reported in the past seeing a downscaling of Dridex activity and an increased focused on Locky spam. Most recently, multiple security firms noticed one of thedelivering the Locky ransomware.
But this period of calm seems to have ended, if we are to take a look at Trend Micro’s, which claims that starting with May 25, Dridex started making a comeback with new waves of spam email distributing the reputable banking trojan in massive numbers once again.
The security firm also says that Dridex itself has now changed as well, and is using a new trick to infect computers.
Dridex poses as a certificate to evade antivirus detection
In the past, the trojan had relied on malicious Microsoft Office files asking users to enable macro support. Once this happened, the malicious script would download Dridex and install on the victim’s PC.
The most recent version of Dridex now features a change of M.O. and instead of downloading the Dridex malware, the macro scripts download a PFX (Personal Information Exchange) file, usually used by software certificates for storing public and private encryption keys for various operations.
“Perhaps, you are wondering why these cybercriminals added another layer in infecting systems,” the Trend Micro team asks. “Since the file dropped is initially in .PFX format, it enables DRIDEX to bypass detection.”
Antivirus and other security solutions usually recognize these types of files as friendly, and mark it as such, ignoring it from future scans.
Dridex now abuses the built-in Windows Certutil utility
After the PFX files reach the infected host, the same macro script that downloaded it then starts, a Windows command-line utility built inside Windows with the specific purpose of handling certificates, as part of the Certificate Services, starting with Windows 8 and Windows Server 2012.
Certutil takes the PFX file and converts it into the Dridex EXE file which can then infect your system. Since the antivirus has already marked this file as friendly, it won’t keep an eye on it anymore, allowing Dridex to go under the radar.
The only solution to counteract this new change in Dridex’s mode of operation is to, once again, remind employees and your friends not to open files from unknown senders.
Supposedly both Necurs botnets are run by the Dridex Group which would make them in control of 5/6 of the world’s largest botnets… — MalwareTech (@MalwareTechBlog)
Dridex is high value machines for fraud and espionage, Necurs is low value ones for spamming Locky and Dridex. — MalwareTech (@MalwareTechBlog)