One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8322466 |
| Date de publication | 2023-03-28 10:00:00 (vue: 2023-03-28 10:06:58) |
| Titre | Dridex Malware, le Troie bancaire [Dridex malware, the banking trojan] |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Introduction: Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers. The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim\'s computer. The malware then uses web injections to steal financial information from the victim. One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered. In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include: Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive. Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software. Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is. Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve. Recent infection on Macs: The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim\'s computer. The variant overwrites document files to carry Dridex\'s malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won\'t run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it\'s possible that the attackers will make further modifications to make it compatible with MacOS in the future. Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not. The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry. How it works: Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim\'s system. Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing scre |
| Envoyé | Oui |
| Condensat | anti process 2011 2012 2015 ability actions active activity addition additionally addresses administrators adopt affected all allowing allows also analysis anti any appearance applications are arrest article at&t atomic attachment attachments attackers attempts author avoid backup backups backups: banking basic been before behind being bit block blocking botnet bugat businesses but bypass c&c call called campaigns can capturing card carry cautious change changed clicked clicking code com command communicate communication compatible compromise computer conclusion conclusion: configuration connections connects containing contains content continues control converted create credentials credit cridex currently customers d0cf data debugged debugging decade delivered delivers delivery designed despite detect detection determine different discovered distributed dll doc document documents does domains download downloading dridex drive dynamic educate educating education: efficient efforts email emails employee employees enabled encryption endorse endpoint enforcement ensure entering entry environment evade evades evolve excel exe execute extensions feature features file fileless files financial find firewall firewall: fixes form format from from www fully functions further future gate hard harder has heaven help hide hiding hollowing: how however html identify ids implement implying important include include: including incoming indicators individuals infect infected infection infection: infections information inject injection injections injects inspecting install installed institutions interesting introduction: intrusion involves ips isolate its itself javascript keep keeping keylogging known latest law layer layers lead leaving legitimate link links location login machines macos macro macros macs: maintain make makes malicious malware malware: manipulate may means method methods microsoft modifications modules monitor monitoring more named network new not numbers often once one opening order other outgoing overwrites overwritten p2p page pages passwords passwords: patch patched payload peer perform perimeterwatch persistence phishing pipes positions possible post prevent primarily process processes protection protection: provided proxy quickly recent regular regularly remediation remediation: remotely remove rendered reputable researchers responsibility retrieve run running scams screenshots searches secure security send sensitive server servers should shows signature since software solely some sophisticated spam spreads stages steal stealing string such suggests suspicious system system: systems target targeted targeting targets technique techniques terminate terms testing than them then these through tools trace traditional traffic traffic: trick trojan trying typically updated url use used user users uses using variant variety various victim victims views virtualization virtualization: virtualized virus way web well when which will windows without won word work works: wow64 yet |
| Tags | Spam Malware Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.