Command and control servers identified in Brazil and Latvia

Feb 3, 2015 18:46 GMT  ·  By

Banking Trojan Dridex, the successor of Cridex, has been seen distributed through emails claiming to be from Circor International, a company that manufactures products for the energy, power generation, aerospace and defense infrastructure markets.

The message pretends to carry an invoice in Word document format and is accompanied by a fake scan result from MessageLabs (a Symantec-owned cloud-based web security service) to trick users into believing that the file is not malicious in nature.

Obfuscated macros lower antivirus detection

The Word file is laced with a malicious macro script that is poorly detected by antivirus products, according to a scan on VirusTotal performed by Conrad Longmore from Dynamoo’s Blog. The poor results are due to the commands included in the macro, which are obfuscated.

If the macros feature in Word is enabled (Microsoft has it disabled by default in order to protect against such risks), Dridex Trojan (bin.exe) is downloaded from “gloo.ng/js/.” At the moment, the page serving the malware displays a 404 error.

Gloo, formerly known as Buy Common Things, is a legitimate online supermarket in Nigeria that aims at becoming in Africa as large a retailer as Amazon is in the world.

According to Longmore, Dridex is saved in the temporary folder as “dsfsdf.exe,” which also has a low detection rate on VirusTotal, with only three out of 48 antivirus engines being able to identify it as a threat.

Command servers identified in Brazil and Latvia

As far as the command and control (C&C) servers are concerned, the malware seems to contact two IP addresses, one for a machine belonging to Universidade De Sao Paulo in Brazil and the other to SIA MWTV, an Internet provider in Latvia.

Dridex is known for stealing banking credentials when the victim tries to log in to an online bank account. It sits on the system waiting for one of the websites belonging to the targeted financial institutions to be launched. Then, it injects HTML content in the page that asks for supplemental information from the victim, such as the social security number, card expiration date, CVV (card verification value).

The malware spawned in November 2014 and targeted customers of the Bank of Scotland, Lloyds Bank, Danske, Bank, Barclays, Kasikorn Bank, Santander, and Triodos Bank. The most affected countries at the time were Vietnam, India, Taiwan, Korea, and China.