Dridex in shadows – Blacklisting, Stealth and Crypto-currency

Dridex’s 2016 volume has been drastically decreased. In 2016, Dridex volume has dropped dramatically. Actors now seem to prefer crypto-ransomware like Locky over the notorious banking trojan. Dridex is still in development. Forcepoint Security Labs has seen many changes and improvements in the past few months.

Command-and Control (C&C), blacklisting

The Dridex Loader is the initial Dridex executable. It checks in to the C&C servers and requests the module and a list of peers to connect with. This module is the “worker” and contains all core Dridex functionality.

We have recently seen that Dridex loader C&Cs won’t send these payloads back if the initial check in information doesn’t meet certain criteria. Instead, the response is a 403 HTTP error.

 

The loader sends check-in information [see above] that contains information about the user’s computer and the environment. All sizes are defined in big-endian format.

The C&C receives information including the user’s computer number, user name and installation date. It also includes a list of all installed software. Dridex operators were able to create profiles of commercial sandboxes as well as researcher VMs.

Blacklisting. Dridex operators have made it easy to blacklist these machines to stop them from obtaining the core modules and the list of peers. It is now more difficult for automated analysis systems find the correct IPs and block them. During our most recent analysis, we discovered that one of our VMs was blacklisted based upon its user name and date of installation. This was easy for us to bypass once our understanding was established.

Protection of assets

An XML structure that listed the botnet ID, C&C IPs in earlier versions of Dridex loaded before November 2015 was used. This was replaced by a binary structure in order to simplify analysis. XML was used by the core module up to March 2016. They then switched to a multi-layered encrypted binary format using Dridex version 3.188 (196796).

 

Other parts of Dridex are also moving away from XML and have adopted more complex binary formats. This makes the trojan a more difficult threat to analyse.

Main configuration

Despite all the security measures taken by Dridex developers, it is still possible to reconstruct Dridex settings configuration files received by core module. This configuration file contains the list of banks websites that can be accessed to inject code and capture data when infecting a browser.

Each section of the new binary format after decryption can be loosely represented by this:

Type (BYTE), a description of the element type (1-12). Size (WORD), a description of the element's content (variable length). Content of the element

The element types are a range of 1-12 and indicate what data is in the content. Element type 11 is, for example, the “node_tick_interval element in which the content contains two WORD value.

Other element types include XOR encrypted strings, with the string length as well as the XOR key defined in the content. The following content structure is for the element type 1 ( ‘httpshots’):

type (BYTE). This is the type of "httpshot", which can be either 0 (deny), or 1 (allow). onget (BYTE). - determines if data should been captured from GET requests at this URL (0,1) onpost (BYTE). - determines if data needs to be captured from POST queries to this URL (0,1) pattern (variable length). - A structure that contains an encrypted URL regex string to match.

The “pattern” entry is binary structure that contains an encrypted string. Each string’s structure begins with a WORD value that defines the string’s length. Next, a 4-byte XOR-key key is followed by the encrypted string content.

length (WORD). - Defines the length of the encrypted strings xorkey (BYTE[4]). - Defines the 4-byte XOR encryption keys for the string string (variablelength). - The encrypted string

In March 2016, MoritzKroll developed a Python script that reconstructs the configuration using the encrypted stream. This was done by parsing these elements. Dridex has a new parameter that redirects elements. This appears to be a default URL.

Software and cryptocurrency wallets targeted software

Dridex has two lists that can be used to target software currently installed on the system. These lists have been gradually expanding over the years and now include point-of-sale and back-end software, as well as online banking software and a newly added list of crypto currency wallet managers.

Below is a complete list of targeted software that Dridex botnet 1234 used. This was taken on September 2, 2016, from version 3.247, the worker module.

  avaloq   crealogix,multiversa,abacus,ebics,agro-office,cashcomm,softcrew,coconet,macrogram,mammut,omikron,multicash,quatersoft,alphasys,wineur,epsitec,myaccessweb,bellin,financesuite,moneta,softcash,trinity,financesuite,abrantix,starmoney,sfirm,migrosbank,migros bank,online banking,star money,multibit,bitgo,bither,blockchain,copay,msigna,armory,electrum,coinbase,magnr,keepkey,coinsbank,coolwallet,bitoex,xapo,changetip,coinapult,blocktrail,breadwallet,luxstack,airbitz,schildbach,ledger nano,mycelium,trezor,coinomi,bitcore   WinBacs,albacs,Albany.EFT.Corporate.Client,wpc,eSigner,StartStarMoney,StarMoney,acsagent,accrdsub,acevents,acCOMpkcs,jp2launcher,sllauncher,cspregtool,RegisterTool,OEBMCC32,sfirm,Bbm24win,wip,paypen,mammut_tb,telelink,translink,deltaworks,dfsvc,bitcoin-qt,multibit,BacscomIP2,runclient,paycentre,accesspay,PaymentStudio,DiasClient,SynIntegrationClient,QuestLauncher,RemoteAdminServer,SymForm2App,plink,launch,PaygateWpfClient,terminal,Telelink,EBsec,ftrskr,Suite Entreprise,rbpmain2,rbpmain,tkc,ecbl-nxbp,sagedirect,turbo_teletransmission,cedripack,cedrisend,QikDesktop,QikDesktopCitrix,ConfigurationEditor,InteractFastConfig,otscm-client,ecb-sg,crs1,GbpSV,pstw32,MopaMaes,ldcptv10,gslshmsrvc,launcher,tokensharesrv,universe,ifrun60,roiwin31,guawin32,intwin31,kb_pcb,spawin31,cziwin31,czawin31,sta2gpc,etsr,tellerlauncher,prowin32,dirclt32,PLT1751,PLT1151,cegidebics,CCS3,CCMPS3,ComSX,keepass,c_agent,transac,relaisbtp,telebanking,ewallet,mstsc,cardentry,TPComplianceManager,TPWorkstation,BancLine 2.0,MS000000,BancLine 3.0,BancLine 4.0,BancLine 5.0,SFW,ptw1151,fedcomp,sfmain,VRNetWorld,KDS,Kasir,ICS,mpkds,pspooler,ipspool,POS-CFG,callerIdserver,EftTray,dpseftxc,EFTSERV,QBPOS,APRINT6,POSCONFG,jRestaurant,AFR38,rmpos,roi,AxUpdatePortal,Firefly,InitEpp,SM22,xfsExplorer,XFSSimulator,WosaXFSTest,kiosk,CRE2004,aspnet_wp,javav,XChrgSrv,rpccEngine,PTService,Rpro8,UTG2Svc,Active-Charge,javaw,DDCDSRV1,alohaedc,dbstpssvc,XPS,Transnet,posw,NCRLoader,PSTTransfer,TSTSolutions,wndaudit,TSTAdmin,TellerDR,merapplauncher,contact manager,goldtllr32,goldtrakpc,farm42phyton,fx4cash,bpcssm,vp-ebanking,LLB Online Banking,efix,iberclear,AMBCN,SGO,SQLpnr,vmware-view,banktelapk,SynJhaIntService,uniservice,client32,CanaraCustMaintenance,legaclt,pcsfe,pcscmenu,cwbtf,srvview,pcsmc2vb,cwb3uic,trcgui,cwbsvstr,rtopcb,cwbujcnv,cwbujbld,cwbuisxe,pcsws,cwbsvd,cwblog,cwbdsk,securID,jhaintexec,appupdate,SGNavigatorApp,dbr,WINTRV,bsaadmin,encompass,eautomate,link,adminconsole,commandclientplugin,commandclientplugin_gui,mfmanager,verex director-server manager,verex director-communication manager,notes,nlnotes,notes2,sacmonitor,netterm,fspnet,bridgerinside,cardserver,si,dais.ebank.client.offlineclient,BGFWIN31,BGDWIN31,BGXWIN31,bocusertool,CLXReader,UBSPay,Migros_Bank_E-Banking,Bank linth Online Banking,java,abastart,abamenu,abajvm,sage200.finanz.gui,vpxclient,htmlshell,mmc,e3K.Main,QOPT,cresus,wineur,abaeb,efinance,GestionPE,BCN-Netkey,Sage 30,ISL_light_client,msaccess,proffix.v4,pxShowThread,grpwise,mammut private,CashCommv5,winbiz

The list defines a list with strings that can be searched on the file-system. Any directory paths matching a string will be reported to a peer node in the format “matched-string|full-path”, such as “electrum|C:\Program Files\Electrum”. This allows Dridex operators the ability to quickly and efficiently profile interesting software systems that could be targeted for financial gains.

The “kl” list specifies the list of process names that you need to locate and inject into in order to perform key-logging activities. The key logs are sent periodically to a peer node as a “keylog sessions” along with the associated process names.

Statement of protection

Customers of Forcepoint(tm), are protected from this threat by TriTON(r), ACE during the following stages:

• Stage 2 (Lure), – Malicious emails associated with this attack have been identified and blocked.
• Stage 5 (Dropper file) – Malicious URLs are blocked from downloading the malware.
• Stage 6 (Call home) – Dridex cannot communicate with its loader C&Cs.

Summary

Dridex activity has been slowing down, but there’s no reason to believe the threat will disappear. It is constantly being improved and developed, making it harder to detect and defend against. Dridex is still delivered via e-mail. It is important that you are vigilant and cautious when opening attachments and links in e-mails. Also, ensure that Microsoft Office macros have been disabled wherever possible. To assist in the ongoing fight against threats like these, we continue to work closely with our colleagues from CERT-UK and other national bodies.

Indicators for Compromise

Dridex Samples (SHA1)

606236dcce09a75aecb64daddaec7d247900a10d f88d05e5cca62a332fe4267db100086c7bde6379

C&Cs for Dridex Loader

210.172.213.117:18443 87.98.132.57:18443 37.221.210.196:4434

source https://www.forcepoint.com/blog/x-labs/dridex-shadows-blacklisting-stealth-and-crypto-currency