#Dridex & Anti Virtualisation detection

Dridex seems to be the most prevalent form of Malware targeting businesses, since the turn of the year i've thrown some numbers around about how Dridex is 

  • Targeting the UK Retail & Finance industry
  • Evolved using PowerShell (Platform dependant)
  • Uses rudimentary encryption (ROT13) to attempt to avoid analysis

A newer twist to Dridex is the ability to attempt to circumnavigate some commercial virtualisation. Here is a snippet from one of the samples freely available on Malwr.com or via the excellent hybrid-analysis.com

Screen Shot 2015-03-14 at 10.29.41.png

I could see once the sample was detonated it would drop %temp% files and in the temp files are the configuration details for the sample its currently detonating, it is explicitly attempting to detonate on 'tin', for lack of a better phrase. Didier had encountered this sample, and came to the same conclusion as me. 

I prefer to inspect the malicious word document via python scripts than to detonate it in a sandbox.

I again refer to the excellent BotConf i attended in December and  talk from Paul Jung discussing sandbox detection

When inspecting the malicious documents i highly recommend http://www.decalage.info/ an the olevba.py scripts which can not only dump the macro and read encoded base64 strings, but will prettify the content into tables for 'reporting'.

Screen Shot 2015-03-14 at 10.57.45.png