Dridex Malware – New Week, New Targets
Our ongoing campaign analysis has revealed that Dridex malware’s latest campaign focus has strongly shifted in recent months from U.K. banks, which had been the main targets previously, to US banks today. Dridex and its latest trends are constantly monitored in our lab, which allowed us to take note when many new targets were recently added to the target list. Redirects to fake pages were most common with U.K. bank incidents. Now the malware mainly uses classical webinjects alongside the redirection technique. The latest campaign is marked as Botnet 301, version 196810. Figure 1: Dridex botnet information The Dridex target list was significantly expanded (129 redirect and injection directives), mainly focusing on U.S. financial institutes, form-grabbing targets on social media sites (which are also related to the United States), credit card companies, and financial investment corporations. The most noticeable observation in the current webinjects is that most of them are accompanied by activating the VNC functionality, which enables the fraudsters to remotely connect to their victim during the credentials theft. Figure 2: Dridex 301 targeted Institutions by country New form-grabbing targets Dridex also steals credentials for non-financial accounts, both over HTTP communication and HTTP over SSL (HTTPS) encrypted communication: Figure 3: Dridex 301 form grabbing of social media information There have been several targets, including: · Yahoo · Microsoft · Skype · Twitter · AOL · Facebook How Dridex initiates VNC communication VNC research conducted by malware researcher Hadas Dorfman Dridex continues using the VNC functionality in order to remotely connect to machines to facilitate the committing of fraudulent transactions. The VNC is used inside the redirection mechanism, which was described in our previous blog post, Dridex Botnet 220 campaign. The following is a snippet of a classical Dridex webinject: Figure 4: Dridex 301 classical webinject When the site's URL matches the URL regex in the webinject, Dridex will inject another “script” tag into the original response from the bank. This will cause the browser to issue a request for the JavaScript script mentioned in the “src” ("scripts/contextprov23.js"). As a result, the request for the script is generated with the domain of the targeted site. For example, if the targeted site was mybank.com, the request for the script that was generated would be "mybank.com/scripts/contextprov23.js". When the request for this script is generated within the browser, it is intercepted by the malware's network hook and is passed to the redirection mechanism, as seen in Figure 5. Figure 5: Dridex 301 redirection directive When the requested script is checked against such a redirection directive and there is a match, the request for the script is dropped and the same script request is launched to a different domain (the “URI” directive), so the script is actually fetched from the fraudster’s server. During the redirection mechanism, the VNC flag (part of the redirect directive in the malware configuration) is checked, and if it’s true, the VNC module is launched. This triggers the browser network hook to deliver a message to the Dridex worker module inside the explorer.exe process. This message signals the worker module to launch the VNC module. The module “vnc_x32” (or “vnc_x64” for 64-bit systems) is responsible for the VNC functionality. It exports: “VncStartServer” and “VncStopServer” functions to operate this activity. While the Dridex worker module inside the explorer.exe process receives the message to launch VNC, the “VncStartServer” function address is resolved and the appropriate function is called. Static code analysis of a “VncStartServer” call: Figure 6: Dridex 301 VncStartServer static view Runtime debugging view: Figure 7: Dridex 301 VncStartServer runtime view Once the VNC server is started, the fraudster is able to remotely connect and use the victim’s machine. Tested MD5: f6a9835201d5cae894863a46bbf12d69 Mitigation F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 enables financial organizations working online to gain control over areas that were once virtually unreachable and indefensible, and to neutralize local threats found on customers’ personal computers, without requiring the installation of software on the end user side. This approach covers the entire install base. The entire solution is delivered from the F5 BIG-IP platform and therefore doesn’t require any integration or modification of the application. Rounding out its offerings, F5 provides professional services and advanced research capabilities in the field of cybercrime including malware, Trojans, viruses, and more. To learn more about F5 fraud protection, read the WebSafe datasheet as well as the MobileSafe datasheet. To learn more about the F5 Security Operation Center, read the F5 SOC datasheet.
Dridex BOTnet 220 Campaign
Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence in the financial threat landscape. The Dridex campaign attributed to BOTnet #220 is very UK financials focused and tries to accomplish its scam by utilizing different mechanics. Web Injects For certain targeted banks pages it uses the classic web-injects, where it injects a malicious script from attacker’s domain directly into the original bank page. The injected code has thousands of lines of code and is mostly focused around stealing login credentials, including one-time password, grabbing personal details and account balances. It also contains automatic transaction infrastructure which was not invoked in the malicious scripts that we have analyzed, but could be easily leveraged once the fraudsters decide. A certain bank was targeted by a dedicated malicious script containing slightly different automatic transactions functionality. The injected script ships with two “fake pages” which will be shown to the victim instead of the original page. The first one will ask for the answer to the security question and will ask to generate a security code using a Secure Key device with an excuse that the victim has entered incorrect information in one or more fields. The second page will be presented under the pretense that the user has exceeded the maximum number of login attempts. It will show the last 4 digits of the target mule account number as a “temporary password” and will ask the victim to type it in his Secure Key device (seems like the bank’s process to “confirm” a transaction). Once the user submits the Secure Key device generated secure code the transaction will be automatically submitted. For certain bank pages the Trojan will inject an interesting script called “news-podmena” (“podmena” is “substitution” in Russian), and it will actually replace the bank’s original security best practices guidelines for its customers with its own fake ones. For a certain bank it was intended to trick clients with smart card authentication. However, for most of the banks it will show a generic security warning recommending not to ignore any pop-up windows, and to follow the process step by step, to increase the fraudster’s chances for running their code and installing more components while bypassing all the security warnings. Another injection type is interesting as well, while it is intended to be injected in any page delivered over HTTPs to grab credit card information. This script is not intended to be injected in the targeted banks pages and once injected in an arbitrary page, the first code snippet of the malicious script will try to match the URL against a list of websites (mostly search engines, banks and webmails) andif a match is foundthe script will delete itself. We assume this is done in order to avoid overloading the C&C with unwanted traffic. Fake Pages An attack vector which strongly identified the Dyre malware is massively used now by Dridex authors. To accomplish that, the latest uses its same old “redirection” technique. The malware part which resides inside the browser implementation (“Man-In-The-Browser”) is able to intercept browser’s requests sent to any domain and redirect them to attacker’s controlled server. The redirection details of which requests to redirect and their exact destination are controlled using the “redirect” directive in the malware configuration. By using this redirection technique, attackers could fetch an external malicious script in their code by using the bank’s domain name in the script’s source URL. For example, the malware can inject a script with a source of “www.mybank.com/evil_script.js”. This request will be intercepted by the Trojan in the browser and the bank’s domain name will be replaced with the fraudster’s domain, like “www.evil.com/evil_script.js”. This way the fraudsters could avoid exposing their domain name in the code injected to the bank’s page and make the request to the external malicious script look legitimate. By observing the attributes of the “redirect” directive in the configuration, it seems also to be related to the VNC and Socks functionality of the malware. This redirection functionality was leveraged to redirect also requests for login pages. In the above example we can see that by using the “redirect” directive in the malware configuration, requests that are made to a certain bank login page will be redirected to attacker’s server and will retrieve a fake page of that bank which was manually crafted by the attackers. The F5 Threat Monitor system detected the experimental phase of this fake page techniqueon several UK banks starting from last April (2015). Who is Next? While analyzing the Trojan, one can notice that it is configured to take screenshots of many French banks. We can just assume that those are preparations for their next campaign. A single Spanish and single Australian bank are targeted as well. Mitigation F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 security products are customizable, so you can address your exact needs. F5 WebSafe provides a solution that identifies injected malicious code in the original web pages, the presence of financial malware on the clients’ machines, detects the Dridex “fake pages” fraud technique in a similar way as the Dyre “fake pages”, and identifies fraudulent automatic transactions. Rounding out its offering, F5 provides professional services, advanced research and intelligence capabilities in the field of cybercrime.
