New Dridex variant spotted in tax rebate phish

The variant takes new measures to avoid VM detection, PhishMe researchers found.
The variant takes new measures to avoid VM detection, PhishMe researchers found.

While analyzing a tax-themed phishing email – an expected avenue for cyberattackers this time of the year – researchers found a new variant of Dridex malware that piqued their interest.

According to PhishMe, the malicious email contained an iteration of Dridex, a banking trojan related to “Cridex,” which took new measures to avoid virtual machine (VM) detection. In a Wednesday blog post, Ronnie Tokazowski, a senior researcher at PhishMe, wrote that, in order to even analyze the anti-VM code used by attackers, the team had to break a 19-character macro password employed by saboteurs.

In a Friday follow-up interview with SCMagazine.com, Tokazowski explained that Dridex's new VM evasion capabilities are meant to thwart researchers using a virtual machine to analyze malware or automated sandboxing technologies.

“That's one of the biggest takeaways about this [Dridex] variant,” Tokazowski said. “For whatever reason, they didn't want this one to be analyzed,” he said of the malware authors.PhishMe also found that the anti-VM tactics were found in older code.

“It was originally released back in 2008, and I guess it just hasn't been used that much,” Tokazowski said of the malicious code. He added that the new strain of Dridex was developed to recognize at least seven VM mechanisms.

In his blog post, Tokazowski explained that, in order to bypass Dridex's password feature (and examine the malware), researchers modified the code.

“By modifying the function that contains the VM detection code, we can nullify their checks to bypass the security mechanisms. We can also set a breakpoint at our data of interest to see if, when the code is executed, we land where we want to be,” he wrote. “After saving the weaponized .xls file and re-executing it, we will want to enable macros as well. If we go into our file and run the macro, we can see in Figure 12 [image] that the code stops on our breakpoint, successfully bypassing all of the attackers anti VM / anti debugging / anti everything routines!"

Tokazowski said that the phishing email carrying the Dridex variant was designed to look like an authentic email from the UK revenue department HMRC. The subject line for the malicious email dated March 11 was, “Your Tax rebate.”

“This [email] made it to about 7 to 10 internal PhishMe users, but I know it was pretty widespread [outside the customer base],” he said.  Tokazowski also added that, typically, Dridex attackers “will try to hit more than just one company.”

Back in November, researchers at Trend Micro detailed a malware campaign spreading Dridex by way of Microsoft Word documents containing malicious macro code. In those attacks, cybercriminals crafted phishing emails to prey on bank customers primarily in Australia, the UK and U.S. The emails appeared to contain invoices from legitimate financial institutions, Trend Micro said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS