14 DAY TRIAL // Banking malware Dridex is back and it’s worse, targeting British financial institutions with a new technique that has the capability of bypassing Windows User Account Control.
Researchers at security firm Flashpoint detected small phishing and spear-phishing campaigns targeting specific recipients. The messages contained macros in document attachments that allowed the download of the Dridex malware.
This User Account Control (UAC) bypass method has gone unobserved until now, the company says. It uses recdisc.exe, which is a Windows default recovery disc executable, while loading malicious code via impersonated SPP.dll.
Recdisc is one of the applications that is automatically elevated by Windows 7, which makes it even harder to observe by Windows users, especially since it is automatically included on the white-list of applications that are subject to auto-elevation. By riding this particular train, Dridex can bypass UAC in no time.
How it works
First, the malware creates a directory in Windows\System32\6886 and then it copies the legitimate binary from recdisc to this folder. Dridex then copies itself to %APPDATA%\Local\Temp as a tmp file and moves itself to Windows\System32\6886\SPP.dll.
The malware continues to work by deleting any wu*.exe and po*.dll files from System32, executes recdisc.exe and loads itself as impersonated SPP.dll with admin privileges.
Dridex then bypasses UAC by copying the recdisc executable into the new 6886 folder. A script executes the cmd batch file and then Dridex creates a new firewall rule. This new rule allows ICMPv4 listeners for P2P protocol communications in %AppData%\Local\Temp.
Spreading efficiently
Thousands of systems have been infected already and the malware acts as it has done in the past - by monitoring a victim’s traffic to bank sites, collecting login credentials and account information.
Dridex was first observed in July 2014 and it is considered to be one of the successors of the GameOver ZeuS (GoZ) malware, making use of peer-to-peer architecture to protect its command-and-control servers against detection. The malware was particularly active between 2014 and 2015, although a few smaller campaigns were observed in 2016 too.