Dridex financial malware uses Word macros to infect

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rob Lemos, ThirdCertainty

Fol­low­ing the take­down of the bot­nets behind Gameover Zeus and the Shy­lock tro­jan, a new breed of finan­cial­ly focused mal­ware has cropped up, using new tac­tics to evade detec­tion and infect hard­er-to-com­pro­mise systems.

The Dyre bot­net has suc­cess­ful­ly com­pro­mised tens of thou­sands of vic­tims in North Amer­i­ca. Anoth­er bank­ing tro­jan, Dridex, has suc­cess­ful­ly com­pro­mised thou­sands of sys­tems in Europe and is increas­ing­ly tar­get­ing com­pa­nies and users in the U.S. by send­ing Word doc­u­ments car­ry­ing mali­cious macro scripts capa­ble of installing the malware.

Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

Cloud-based secu­ri­ty provider Proof­point has focused on Dridex since it appeared late last year, track­ing efforts by the groups to tar­get com­pa­nies with Dridex-laden spam. The attack­ers send out waves of spam every two or three days, using any­where from two dif­fer­ent e-mail tem­plates to more than 1,000, depend­ing on the group behind the attack.

The attacks usu­al­ly last no longer than five hours, and few, if any, antivirus scan­ners detect the mal­ware in time, says Wayne Huang, vice pres­i­dent of engi­neer­ing at Proofpoint.

I would say that they are per­sis­tent, but they are not APT (an advanced per­sis­tent threat) in that they are not focus­ing on cer­tain orga­ni­za­tions,” he says. “They spread mal­ware pri­mar­i­ly to monetize.”

The rapid­ly chang­ing tem­plates and the use of macros with­in Word doc­u­ments are just two of the tech­niques that Dridex uses to be an effi­cient infec­tor. More recent ver­sions of the bank­ing mal­ware have used images to track the num­ber of down­loads, and the devel­op­ers also have added fea­tures to foil detec­tion and analy­sis by auto­mat­ed systems.

A num­ber of anti-mal­ware sys­tems open sus­pi­cious files or run poten­tial­ly ques­tion­able code in a vir­tu­al envi­ron­ment to check for mali­cious behav­ior. Yet, attack­ers have found ways to detect whether their code is run­ning in such a “sand­box.” Ini­tial attempts, for exam­ple, would just sleep for an hour or a day, because auto­mat­ed sys­tems typ­i­cal­ly only exe­cut­ed the code for a few minutes.

Most cur­rent efforts, how­ev­er, focus on the anom­alies in the sys­tem in which the pro­gram is run­ning. The devel­op­ers behind the Dyre mal­ware, for exam­ple, used a sim­ple com­mand to count the num­ber of cores being cur­rent­ly used. Many vir­tu­al envi­ron­ments only use a sin­gle core for eff­i­cen­cy, while mul­ti-core sys­tems are now ubiquitous.

Dridex, how­ev­er, took a sim­pler tack: Because analy­sis sys­tems tend to open the sus­pi­cious file and wait for any anom­alous activ­i­ty, Dridex is pro­grammed to only exe­cute when the mali­cious Word doc­u­ment is closed.

The evo­lu­tion of Dridex has made it an effec­tive vehi­cle for attacks, says Matt Huang, vice pres­i­dent of prod­uct man­age­ment at Proofpoint.

They have been real­ly mutat­ing their tech­niques, espe­cial­ly to avoid sand­box detec­tion,” he says. “From very ear­ly on, they would change e-mail sub­jects and file titles. Now, we see a greater vari­ety of techniques.”

A sin­gle attack often will result in hun­dreds of thou­sands of e-mails being sent out. The attack­ers have at least 1.3 bil­lion e-mail address­es from which to choose, Matt Huang says.

The attack­ers also are begin­ning to zero in on oth­er finan­cial tar­gets, such as cryp­tocur­ren­cies. In some cas­es, Dridex has down­loaded a tro­jan known as Pony that can steal more than 30 dif­fer­ent cryp­tocur­ren­cies, such as Bit­coin, from a dozen dif­fer­ent types of dig­i­tal wallets.

Recent­ly, they have been using Pony to steal wal­lets, because the use of vir­tu­al cur­ren­cy has picked up,” Matt Huang says. “They have been quite successful.”

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Posted in Breaking news, Data Breach