Detecting a Dridex Variant that Evades Anti-virus
Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies.
How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.
Here’s a screenshot of the phishing email sent to several of our users:
In this specific example, the user is presented with a button to double-click in order to “display the content.”
Once double-clicked, the user is presented with a warning box.
When the user clicks OK, a command shell is spawned in the background to download a sample of Dridex.
It’s amazing how many AV products flag this file as being malicious. The surprising answer is none of them.
Since you need user-input to push the button…this bypasses sandbox technology as well! Once downloaded, the state of detection for Dridex is less grim, with 5/57 AV vendors picking up on it.
While there is no silver bullet to security, user-generated reports have proven very successful here at PhishMe and other organizations, as many of our users have reported new and interesting threats that target not just us, but industries worldwide. By hooking the human into the security program, we not only find new and interesting malware, but we also close the gap on the kill chain.