Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Dridex has evolved to implement advanced evasion techniques, including polymorphism and encrypted payloads.
- Command and Control activities utilize a newly observed domain generation algorithm (DGA) to evade detection.
- The malware exploits common Windows services for lateral movement, aiming for maximum persistence in enterprise networks.
Executive Summary
During our investigation of the latest Dridex banking trojan variant, we observed a series of coordinated attack phases that demonstrated the actor’s evolving tactics. This analysis outlines the initial access vector, execution methods, and command and control (C2) infrastructure employed during the compromise. The findings also highlight lateral movement techniques utilized to proliferate within the victim’s environment, ultimately leading to significant financial impacts through credential harvesting and unauthorized transactions.
Initial Access
The attack chain initiated with a phishing campaign targeting financial institutions. The emails contained malicious attachments masquerading as legitimate invoices. Once executed, the payload, which is a variant of Dridex, dropped onto the victim’s machine, facilitating immediate access. We noted the presence of the file at %TEMP%\invoice.exe, which was the first stage of the malware execution. The initial payload was relatively small, focusing on utilizing Windows management tools to establish a foothold quickly.
Execution & Persistence
The execution of the payload leveraged T1059 – Command-Line Interface to invoke system commands, which helped launch the main Dridex dropper. Post-execution, persistence was achieved through the creation of a scheduled task located at C:\Windows\System32\Tasks\DridexUpdate. This task ran daily to ensure the Dridex implant remained active and could receive updates or additional payloads from the actor’s C2 infrastructure. Our analysis revealed the use of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ to further maintain persistence, with indicators showing changes to startup processes.
Command and Control
The C2 communication was noteworthy for its obfuscation techniques. Our analysis indicated that the trojan utilized a Domain Generation Algorithm (DGA) to randomly generate new domains for communication each day. This allowed the actor to minimize the risk of detection by security monitoring systems. For instance, domains like qwerty12345.xyz were utilized to fetch additional modules and updates. Communication was primarily over HTTPS, using the T1071 – Application Layer Protocol technique, specifically leveraging this for secure and stealthy exfiltration of sensitive data.
Lateral Movement & Discovery
Through our investigations, we observed that Dridex established lateral movement capabilities by exploiting valid accounts, leveraging Windows Remote Management (WinRM) as documented under T1021 – Remote Services: Remote Desktop Protocol. Credential theft was facilitated using the T1003 – Credential Dumping technique, allowing the malware to harvest sensitive credentials stored in the Windows vault. Additionally, it interacted with active directory services to scan for new targets within the network using net group /domain commands.
Impact & Objectives
The impact of the Dridex infection was significant, focused primarily on financial gain through the unauthorized transfer of funds and theft of sensitive banking credentials. Following lateral movement, the malware was able to escalate privileges and gain access to sensitive financial accounts, leading to transactions that compromised the organization’s assets. The actor’s objective appeared clear: to exploit compromised accounts to execute fraudulent transactions while maintaining a low profile within the environment. Our continued monitoring of Dridex behavior patterns suggests a shift towards more targeted attacks, honing in on specific industries.
MITRE ATT&CK Mapping
- T1059 – Command-Line Interface: Use of command line or scripts to execute files.
- T1071 – Application Layer Protocol: Use of common application layer protocols for C2 communications.
- T1021 – Remote Services: Use of remote services for lateral movement.
- T1003 – Credential Dumping: Techniques used to harvest credentials from the operating system.
Detection Opportunities
- Monitor for creation of suspicious scheduled tasks in
C:\Windows\System32\Tasks\. - Detect anomalous domain requests, especially those generated by DGAs.
- Implement logging and monitoring for credential dumping tools or techniques used in the environment.
Analyst Notes
This analysis highlights the continuous evolution of the Dridex malware family and underscores the necessity for robust email filtering solutions combined with network detection strategies. The use of DGA and obfuscation demands advanced behavioral monitoring to identify anomalous activities within enterprise environments. Organizations are urged to enhance their endpoint detection and response capabilities and develop frameworks for timely response against these sophisticated threats.
Source: Original Report