Welcome back #Dridex

My most recent blog indicated we would see the back of Dridex  & Locky, in hindsight it was a bit hopeful. P2P botnets Do not die the very principle they are built on offers a level of persistence that makes it near on possible to remove.

It has 'returned' - hat tip to @malwaretech who has significant fingers in pies with Necurs and can identify a lot of what Dridex is doing.  I'm time limited in terms of RE at the moment and the changes in Dridex has shown, thankfully they are being identified by Matt Mesa at Proofpoint


What i have identified as a result of some recent changes is the OS fingerprinting which is new( to me at least to me) Dridex is actively identifying the OS running on the host


So, the question to me , why is Dridex looking to fingerprint the OS? I observed some interesting checks in the macro too including the number of documents opened previously ( Attempted Sandbox evasion i assume) but this is easily bypassed.