The rise of malware has become a serious threat to modern communications ever since nefarious coders first spotted an opportunity to steal information from computers for personal gain.
Dridex on the Rise
Dridex is a malware that was created specifically to infect computers and steal financial information, such as online banking credentials. The malware operates without the knowledge of the computer owner and silently transmits data to the malicious party, who in turn will use the data to steal money.
According to the HP Threat Research Team, Dridex malware attacks have increased significantly, with a 239% increase from Q3 2020 to Q4 2020. The new year has seen another increase in attacks, with the first month showing infection rates higher than the total Q3 of last year.
Evolving Tactics
Dridex is an old malware, first detected in 2012 as a Trojan. However, the digital thieves behind it have kept resisting attempts by different anti-malware and security teams to stop its spread. They have recently shifted to hosting their malware on hundreds of compromised websites. The number of websites makes it very difficult to trace down every URL and block them.
HP Malware Analyst Patrick Schläpfer recently authored a blog on how Dridex currently works:
“Dridex’s distributors commonly propagate the malware using malicious Office documents that download the Trojan from a remote web server. Interestingly, since mid-2020 some of the maldocs started containing hundreds of URLs from which to download the malware. This technique makes the loader more resilient to takedown action by hosting providers and domain registrars. It also increases the likelihood of successfully downloading the payload. Instead of blocking one URL, network security controls such as web proxies would need to block hundreds of URLs to prevent the malware from being downloaded.”
The changing tactics is what keeps it difficult to effectively fight against it as the sheer number of URLs make it practically impossible to stop its progress.
HP Analysis
The HP Threat Research Team analysis shows that the developers are very active and have varying, but very specific methodologies for their attacks:
- Currently there are a total of six methods of hiding the true URL. While this makes it difficult to identify in time which encoding method is used, it shows that the developers restrict themselves to these variations, making it easier for safety experts to decode and create strategies to fight its spread.
- Each wave of infection uses a different technique for hiding URLs in comparison for the last time. This has remained true for the second half of 2020, sampling from 30 distinct waves.
- The extensive amounts of URLs hidden in the maldocs used to download the malware shows how deep and extensive the distribution of the malware is, as well as the scale of hosting the Trojan on many different servers.
How Dridex Spreads
Dridex is spread using different types of documents, specifically MS WORD and EXCEL spreadsheets. Those controlling Dridex spam users with carefully crafted emails, letting the user download what seems to be a harmless spreadsheet or a document.
Once the file is downloaded and opened, a VBA or EXCEL 4 Macro is triggered within the file. This leads to a creation of a PowerShell command or a Windows API call that remotely connects to one of the many infected URLs and downloads the malware. Once downloaded, the malware specially targets financial related data to copy and transmit to Dridex’s developers.
This type of malware attack can be very difficult to stop, as it is executed by the computer’s user and many security software fails to detect it. The most promising solution is for companies to invest in hardware-based security.
This hardware security technology isolates any files and links that come from an untrusted location, such as the Internet. The user can still open and edit files, but they are isolated from the rest of the computer. If the file is malicious and attempts to download and run Dridex, it will do so in a secure environment, where it can’t do any harm.
HP Threat Research
HP’s threat intelligence was compiled using customer data collected from HP Sure Click Enterprise. The platform uses hardware-powered virtualization technology to isolate and contain threats in secure micro-virtual machines. This technology allows the malware run in isolated containers, so that malware is tricked into showing its hand. The analysis gives researchers sight of the full kill chain of an attempted attack, including information about how the malware behaves, which can be used to create security signatures to help protect networks from intruders.
HP has also created a free Python script that extracts all the URLs from Dridex maldocs that use one of the six encoding algorithms. Security teams can use the script’s output to block potential Dridex payload URLs and find indicators of compromise (IOCs) from HP’s research here.
To know more about Dridex malware and how you can protect your computers from the financial threat it can cause, read the latest report by the HP Threat Research team here.
