In September 2016, I reported about the resurgence of the dangerous banking Trojan Dridex. The news regarding the malware since then had dropped off due to security professionals’ success fighting it. This all changed recently with a late January report from researchers at Flashpoint that detail Dridex's new attack methods.
According to the report authored by Flashpoint's Senior Intelligence Analyst Vitali Kremez, Dridex is now able to bypass Windows User Account Control (UAC). The process in which this method is capitalized on is detailed by Kremez as follows:
- Dridex creates directory in Windows\System32\6886
- Dridex copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\
- Dridex copies itself to %APPDATA%\Local\Temp in tmp file form and relocates to Windows\System32\6886\SPP.dll
- Dridex proceeds to eliminate wu*.exe and po*.dll files from the Windows\System32 directory
- Finally, Dridex opens the recdisc[.]exe file and boots up as a fake SPP.dll with administrative privileges.
All of this occurs without any user interaction post-infection due to the bypass of the UAC in Windows. The basic function of Windows causes this to occur. "Windows 7 automatically elevates a hand-picked list of applications, one of them being recdisc, which further reduces the UAC dialogs a Windows user observes,” Kremez says. “These applications are referred to as being white-listed for auto-elevation."
Though Windows 7 is used in this particular example, in actuality all versions of Windows, including Windows 10, are vulnerable. As was the case with Dridex in the past, the ultimate goal of a hacker utilizing the malware is to log a user's banking information with the hopes of gaining login credentials and account information.
Most of the attacks with Dridex are affecting large banks and other important financial institutions in the United Kingdom. Extra vigilance is required when protecting your machine against Dridex as it is delivered via phishing and spear-phishing emails. The emails themselves contain specific attachments that unleash the malware and set the infection in motion.
If you work in the financial industry, be especially vigilant for emails that seem legitimate but come from suspicious locations.
Photo credit: Pixabay