Increase in notifications on Dridex malware infections

CERT.be receives an increase in notifications on Dridex malware infections.

Summary

Dridex is a multifunctional malware package that leverages obfuscated macros in Microsoft Office and extensible markup language (XML) files to infect systems.

The primary goal of Dridex is to steal credentials and online banking data. By collecting this data, the cyber-attackers can access bank accounts and transfer funds to their own accounts. Dridex is generally distributed through phishing email messages.

Both the content and the sender of the email appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open a malicious attached file that will generally initiate the download of the true malware.

Once a computer has been infected, the malware then performs information theft through such methods as form grabbing, key logging, screenshots and site injections.

Mitigation

Dridex is generally delivered via a mail containing an Excel or Word document in attachment.

These documents contain a Macro that downloads the Dridex malware from a tier website and executes it.

Most antivirus do not detect the newest variant of Dridex.

Information from the document can be retrieved using OLE extract tools (eg : oledump.py) and EXIF extract tools (eg : exiftools), but most of the time, the data are obfuscated and requires a deeper inspection.

The malware, once downloaded, will alter running processes to hide his presence.

As far as mid-october 2015, the majority of malware analyzed are running only in memory (even if some Cridex variant we’ve seen so far use a specific process, easier to analyze).

A sandbox malware analysis using a proxy to capture the flows or using full packet captures generally gives good idea on How and with Who (C&C) the malware communicates.

According to your finding, you should be able to set some rules to detect and/or to block the Dridex communication.

Advices

PREVENTION - Where appropriate and in accordance with your internal security policy, block malicious sources (domains, etc) on the IPS, firewalls and/or routers at the perimeter of your Internet-connected networks.

The guidance for protecting against a Dridex infection is the same as most other malware attacks. Even if the new variants of Dridex are not immediately detectable, the antivirus actors are reacting as quickly as possible to feed their solutions with the signature of the newest variant.

So, any case, Windows users should ensure they have an up-to-date antivirus program running on their computer, which should be able to intercept the infected attachments before they are seen.

Also, be sure to have a windows system up-to-date, with all the application patches applied.

Users should also be careful of opening attachments sent from unrecognized email addresses, particularly Word and Excel files; and they should disable macros in Microsoft Office, or at least set them to request permission before they run.
As some of Dridex can appear coming from a well-known source, users should also pay attention to real email address used under the well known display name.

Inform your users to report to you if they suspect clicking / opening something malicious ; you can’t prevent users from clicking, but train them to report things.

DETECTION - Detect attacks on your IT infrastructure by feeding signatures in your IDS, from your internal malware analysis or external source. Review your logs for occurrences of the attributes (connection to blacklisted IP, network behavior, …). Scan your infrastructure to search for presence of malware.

REACTION - In case of matches, take the necessary steps to identify compromised systems, perform a damage assessment. In case of advanced persistent threat, it may be worth observing the behavior of the infected host (network connection, process monitoring, …) and collect further information concerning the attackers interests, techniques, tactics and procedures.

As the Dridex malware runs generally only in memory, the best way to remove it is to make a hard reset (brutally cut the power of the machine), to avoid the auto-save of the malware at normal shutdown process.
The system should then be started and reanalyzed in an isolated network before re-added to the production environment.

External references

https://www.us-cert.gov/ncas/alerts/TA15-286A
http://www.symantec.com/connect/blogs/dridex-and-how-overcome-it
http://www.nationalcrimeagency.gov.uk/news/723-uk-internet-users-potenti...
https://www.fireeye.com/blog/threat-research/2015/06/evolution_of_dridex...
https://feodotracker.abuse.ch/?filter=version_d
https://isc.sans.edu/forums/diary/Dridex+Phishing+Campaign+uses+Maliciou...