Proofpoint and Phishme.com both confirm new developments
Since the beginning of the year Dridex has returned with an number of new features
New botnet ID's targeting Germany
New persistence methods, including writing to start folders at shutdown
Increased CPU usage when executing(!)
AV targeting and debugger checks
A few samples i've analysed over the past few weeks have exhibited new capabilities, at least in terms of the delivery method and 'on disk' activity. 'Macroseses' as they are referred to in the current campaign mechanisms still prompt the user to enable macros, and still use a AutoOpen mechanism to extract and run. The current delivery is as follows.
The developers appear to be experimenting with new capabilities, the malware i've observed recently appears to be using some rudimentary steganography.
Along with payload development the content is undergoing some active anti reversing tricks using debugger checks which will stop execution if a debugger is detected which i have not personally observed being used by Dridex this year.
Dridex is actively looking to avoid detection and will return an exit to the process if it detects a debugger attached to it. Further advances to the payload include Antivirus checks which in this particular payload had checks for Comodo Security suite.
I also observed some odd behavior in relation to what is being described as 'white hat' activity, by mainstream media. One payload was benign and delivered Avira Antivirus in the way i described above.
Some of the compromised sites hosting the Avira payload had what appeared to be a calling card left as a warning with cryptic messages relating to 'owner' or 'pwner?' and the host.
The final observations are the worrying strings associated with the detection of virtualization.
Observed API calls
- Lower 163bcc30 BusVMware