New Dridex Variant Evading Traditional Antivirus

Written by

Only 10 days after malware researcher Brad Duncan reported analysis on a new variant of Dridex that bypasses mitigation of application whitelisting techniques by disabling or blocking Windows Script Host, eSentire discovered a new infrastructure pointing to a similar Dridex variant.  

“Dridex malware targets banking information and is delivered via email in the form of a malicious document with embedded macros,” eSentire Threat Intelligence wrote. “At the time of discovery only six antivirus solutions of about 60 detected suspicious behavior. About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.”

As has been the case with the Emotet malware, Dridex has also had many iterations, with its presumed first appearance as Cridex back in 2011. “Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Like Emotet, each new version of Dridex traces a further step in the global arms race as the security community responds with new detection and mitigations,” researchers wrote.

It is believed that Dridex will continue to see more variations. “Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” the report said. 

Initially the malware was delivered through a malicious document in an email; however, the different variations allow the macros to respond to different levels of employee engagement, according to the report. 

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior. Given the rapid turnover of infrastructure and indicators, signature-based antivirus solutions will continue to have gaps throughout the Dridex campaign,” the report said.

What’s hot on Infosecurity Magazine?