The Dridex authors frequently release updates such as new functions obfuscation and new configuration encoding to continue evading detection and mitigation techniques of security vendors. They have shifted the focus of their malware from targeting European financial institutions to new banking institutions in the United States.
Evidently, the developers of the malware display great proficiency in client and server paradigms as well as obfuscation. The following research outlines this skillset. It, along with Dridex authors’ commitment to the constant and frequent updates in the malware’s features, makes Dridex very agile and consequently hard to detect, decrypt, and analyze.
So, how is it that Dridex is watching you without your permission and you don’t know it?
It connects to the infected user’s machine during banking transactions with a remote session. This session is invisible to the user because it is held in another instance of the desktop that the malware opens using the VNC protocol. This instance is duplicated but not shared, meaning the attacker can’t see the user’s mouse and keyboard movement and vice versa.
After the malware is installed on a victim’s machine, it "phones home" to the Command and Control (C&C) of the botnet in order to get the target list and ask for the following modules: VNC and SOCKS.
The activation process can be triggered in one of two ways:
This research focuses on the injected module approach. (The way that VNC initiation has been triggered inside the Dridex configuration was described in an earlier F5 article.)
The flow involves interaction between the infected browser and the infected explorer.exe process.
The VNC flag in the configuration is inspected by the malicious code in the network function hook which Dridex injected into the browser.
So a targeted url was accessed and a malicious script was sent to the user. What’s next?
When the script is received, the VNC flag is inspected.
If the VNC flag is on, the malware expects to receive encrypted data. This encrypted data contains information which the malware uses later on:
Below is an example of a simple html response from the server with IP + Port appended (after decrypted routine):
The infected browser stores these encrypted IP records in the registry under the same key as the configuration but under a separate subkey.
The infected browser uses Windows’ events objects API in order to inform the infected explorer.exe to start the VNC. From this point, the infected explorer process takes over the activation process.
After this, if all the stages are successful, a VNC remote session is started and the fraudster can perform actions on the victim’s machine without his knowledge.
This feature is usually used as a complementary action after credentials stealing in order to bypass security products within the bank. These products aim to identify the user using the browser’s unique fingerprint.
The constant race between security vendors and cybercriminals pushes criminals into creating malware that is more obfuscated and has many different and independent components. These components help the malware authors overcome the obstacles and safeguards that banking institutions and security vendors put in place. These components also add a layer of complexity to the analysis process since it is now necessary to understand the interaction between the modules.
This race also pushes us, as researchers, to monitor and be vigilant regarding Dridex’ campaigns and evolution.