430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New variant of Dridex banking Trojan implements polymorphism

Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism. Security experts at eSentire observed a new campaign spreading a variant of the Dridex banking Trojan that implements polymorphism. The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the […]

Dridex new

Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism.

Security experts at eSentire observed a new campaign spreading a variant of the Dridex banking Trojan that implements polymorphism.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

Even if the activity of Dridex decreased in the last couple of years, crooks continued to updates it adding new features such the support of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.  

Malware researcher Brad Duncan first observed a new variant of Dridex on June 17 that leverage an Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host. 

On June 26, 2019, experts at eSentire Threat Intelligence discovered a C2 infrastructure pointing to a similar Dridex variant that was undetected by most of the antivirus listed in VirusTotal service.

“On June 26, 2019, eSentire Threat Intelligence discovered new infrastructure pointing to a similar Dridex variant (see IOCs below).  At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior [2].  About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.” reads the analysis published by eSentire.

Experts noticed that threat actors continuously change up indicators through the current campaign, making it hard for signature-based defense solutions to detect the threat.

“Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” eSentire notes.

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login.

Attacks begin with spam emails containing weaponized documents, once victims have executed the embedded macros, the malicious code connects to the ssl-pert[.]com domain to download the Dridex installer.

Dridex new

Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior,” eSentire concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Dridex, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]