New Dridex variant evades anti-virus detection

Researchers have spotted a variant of the Dridex banking trojan with stronger capabilities that help it skirt anti-virus detection.

While Dridex has been around since 2011, researchers have said that they recently spotted phishing emails distributing a never-before-seen variant of the malware. This variant uses file signatures that are difficult for anti-virus software to detect – allowing the malware to be identified when on infected systems.

A Threatpost report quoted R DePre, red team technical manager with eSentire as saying that the new vartiant is another step in the “constant game of cat-and-mouse” being played between defenders and attackers behind the Dridex malware:  “As detection for new techniques continues to evolve, the malicious actors will continue to update their tools to bypass those detections.”

Dridex first appeared in 2011 – but in the almost decade since, the malware has undergone a series of transformations. Most recently, researchers spotted the malware being delivered to victims via an email in the form of a malicious document with embedded macros.  Once downloaded, Dridex then targets banking information.

Anti-virus software mainly rely on file signatures (MD5 or SHA256 hashes) to detect malicious applications, DePre added. Dridex utilizes newly created and signed 64-bit dynamic link libraries (DLLs), which have different file signatures from previous versions that have been detected by anti-virus software in the past, the Threatpost report said.

Specifically, the malware targets a weak execution policy in the WMIC’s application whitelisting process around XLS scripts. Application whitelisting is the process of specifying approved applications that are permitted to be executed within a computer environment; many companies utilize this technique to protect themselves from harmful applications.

The weakness means that XLS scripts containing  malicious Visual Basic Script (VBS) can be loaded: “Essentially, if a company has Windows Script host disabled or blocked, this variant can bypass that whitelisting technique and still execute malicious code via WMIC using a XLS file with malicious VBS in it,” said DePre.