Dridex is Watching You
- by nlqip
The Dridex authors frequently release updates such as new functions obfuscation and new configuration encoding to continue evading detection and mitigation techniques of security vendors. They have shifted the focus of their malware from targeting European financial institutions to new banking institutions in the United States.
Evidently, the developers of the malware display great proficiency in client and server paradigms as well as obfuscation. The following research outlines this skillset. It, along with Dridex authors’ commitment to the constant and frequent updates in the malware’s features, makes Dridex very agile and consequently hard to detect, decrypt, and analyze.
How Does Dridex Watch You?
So, how is it that Dridex is watching you without your permission, and you don’t know it?
It connects to the infected user’s machine during banking transactions with a remote session. This session is invisible to the user because it is held in another instance of the desktop that the malware opens using the Virtual Network Computing (VNC) protocol. This instance is duplicated but not shared, meaning the attacker can’t see the user’s mouse and keyboard movement and vice versa.
After the malware is installed on a victim’s machine, it “phones home” to the Command and Control (C&C) of the botnet in order to get the target list and ask for the following modules: VNC and SOCKS.
The activation process can be triggered in one of two ways:
- By a command received from the C&C
- By the browser function hook after inspecting the VNC flag in the configuration
This research focuses on the injected module approach. (The way that VNC initiation has been triggered inside the Dridex configuration was described in an earlier F5 Labs article.)
VNC Activation Flow
The flow involves interaction between the infected browser and the infected explorer.exe process.
The Browser’s Role
The VNC flag in the configuration is inspected by the malicious code in the network function hook, which Dridex injected into the browser.
- This hook enables Dridex to inspect each request before it is sent over the wire.
Source link
lol
The Dridex authors frequently release updates such as new functions obfuscation and new configuration encoding to continue evading detection and mitigation techniques of security vendors. They have shifted the focus of their malware from targeting European financial institutions to new banking institutions in the United States. Evidently, the developers of the malware display great proficiency…
Recent Posts
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices
- Hackers Strike at Heart of Italian Government
- The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development | BlackFog
- Canadian Suspect Arrested Over Snowflake Data Breach and Extortion Attacks
- Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages