U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Last Dridex Trojan variant uses a new tactic to bypass Windows UAC

A new variant of the Dridex Trojan recently observed is leveraging a new tactic to bypass the UAC (User Account Control). Researchers at the security firm Flashpoint have discovered a new campaign leveraging on a new variant of the Dridex Trojan that uses a new tactic to bypass the UAC (User Account Control). The Dridex Trojan […]

Last Dridex Trojan variant uses a new tactic to bypass Windows UAC

A new variant of the Dridex Trojan recently observed is leveraging a new tactic to bypass the UAC (User Account Control).

Researchers at the security firm Flashpoint have discovered a new campaign leveraging on a new variant of the Dridex Trojan that uses a new tactic to bypass the UAC (User Account Control).

The Dridex Trojan was first spotted in 2014, it is considered one of the most pervasive banking trojan. It was most active between 2014 and 2015, and just smaller campaigns were observed throughout 2016.

Dridex Trojan

The last campaign observed by Flashpoint is targeting UK financial institutions, crooks are using “previously-unobserved” Dridex UAC bypass technique that leverages Windows default recovery disc executable recdisc.exe.

“On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.” reads the analysis published by the security firm.

“Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.”

This variant of the Dridex Trojan is  using svchost and spoolsrv to communicate with peers and the first-layer of the Command & Control infrastructure.

Crooks are using spam emails as the attack vector, the malicious messages come with attached Word documents that embed macros that download and execute the Dridex Trojan.

Once infected the Windows machine, the malware moves itself from the current location to the %TEMP% folder.

“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” continues the analysis.

Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll with administrative privileges and bypass the UAC protection on Windows 7.

The mechanism leverage the Windows utility because it is white-listed for auto-elevation.

In order to bypass UAC, the malware creates a directory in Windows\System32\6886, then copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\.

Then Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and moves itself to Windows\System32\6886\SPP.dll. The Dridex Trojan then deletes wu*.exe and po*.dll from Windows\System32, after which it executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – banking trojan, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]