win.dridex (Back to overview)

Dridex

Actor(s): TA505, INDRIK SPIDER

URLhaus    

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

References
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
https://viql.github.io/dridex/
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
Yara Rules
[TLP:WHITE] win_dridex_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 7503 33c0 c3 8a01 }
            // n = 4, score = 37000
            //   7503                 | jne                 0x755055
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   8a01                 | mov                 al, byte ptr [ecx]

        $sequence_1 = { 0fb64e03 0fb64604 c1e108 0bc8 }
            // n = 4, score = 36000
            //   0fb64e03             | movzx               ecx, byte ptr [esi + 3]
            //   0fb64604             | movzx               eax, byte ptr [esi + 4]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax

        $sequence_2 = { 833810 7d06 80780c00 74ea }
            // n = 4, score = 36000
            //   833810               | cmp                 dword ptr [eax], 0x10
            //   7d06                 | jge                 0x74b11f
            //   80780c00             | cmp                 byte ptr [eax + 0xc], 0
            //   74ea                 | je                  0x74b109

        $sequence_3 = { 33c9 eb02 8bc1 85c0 }
            // n = 4, score = 36000
            //   33c9                 | xor                 ecx, ecx
            //   eb02                 | jmp                 0x74def5
            //   8bc1                 | mov                 eax, ecx
            //   85c0                 | test                eax, eax

        $sequence_4 = { ffd0 eb02 8bc7 83f8ff }
            // n = 4, score = 36000
            //   ffd0                 | call                eax
            //   eb02                 | jmp                 0x75aeda
            //   8bc7                 | mov                 eax, edi
            //   83f8ff               | cmp                 eax, 0xff

        $sequence_5 = { 80780c00 74ea 833850 7de5 }
            // n = 4, score = 36000
            //   80780c00             | cmp                 byte ptr [eax + 0xc], 0
            //   74ea                 | je                  0x74b109
            //   833850               | cmp                 dword ptr [eax], 0x50
            //   7de5                 | jge                 0x74b109

        $sequence_6 = { 7d06 80780c00 74ea 833850 }
            // n = 4, score = 36000
            //   7d06                 | jge                 0x74b11f
            //   80780c00             | cmp                 byte ptr [eax + 0xc], 0
            //   74ea                 | je                  0x74b109
            //   833850               | cmp                 dword ptr [eax], 0x50

        $sequence_7 = { 83f917 7608 8d41e7 83f80c }
            // n = 4, score = 36000
            //   83f917               | cmp                 ecx, 0x17
            //   7608                 | jbe                 0x76567b
            //   8d41e7               | lea                 eax, dword ptr [ecx - 0x19]
            //   83f80c               | cmp                 eax, 0xc

        $sequence_8 = { 750c 83f803 7c10 eb05 }
            // n = 4, score = 36000
            //   750c                 | jne                 0x7474bf
            //   83f803               | cmp                 eax, 3
            //   7c10                 | jl                  0x7474c8
            //   eb05                 | jmp                 0x7474bf

        $sequence_9 = { 83f803 7c10 eb05 83f803 }
            // n = 4, score = 36000
            //   83f803               | cmp                 eax, 3
            //   7c10                 | jl                  0x7474c8
            //   eb05                 | jmp                 0x7474bf
            //   83f803               | cmp                 eax, 3

    condition:
        7 of them
}
Download all Yara Rules