New variant of Dridex trojan fools antivirus solutions

• This new variant uses a whitelisting technique in order to evade mitigation from antivirus software.
• It is believed that the attack campaign related to this variant also uses a new command and control infrastructure.

Security researchers have recently identified an ongoing attack campaign distributing a new variant of the Dridex trojan. Discovered by malware researcher Brad Duncan, this variant reportedly goes undetected under many of the popular antivirus solutions. Security firm eSentire, which conducted an extensive analysis of this unique variant, suggests that the new infrastructure used for the malware is expected to change over time.

Dridex is one of the fastest evolving malware which has seen advanced features being incorporated in its structure at frequent intervals.

Worth noting

• The malware is customarily distributed through spam emails containing malicious Word documents. These documents make use of macros for downloading the trojan.
• The macro script uses an application whitelisting bypass technique to avoid mitigation done through Windows Script Host.
• If the macro is successfully executed, it connects to the ssl-pert[.]com to download servern.exe, which is the Dridex installer.
• Samples analyzed by Duncan and eSentire contained malicious JavaScript code embedded in an XSL template. This script actually downloads and executes the Dridex installer.
• According to eSentire, only 16 antivirus solutions detected the new variant of Dridex.

Evolving infrastructure

As mentioned earlier, eSentire researchers note that the command and control infrastructure used by the new variant is evolving and the campaign will continue employing new indicators.

“Two observations indicate this campaign isn’t done shifting identifiers. Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” researchers wrote in a blog.