Tag Archives: Dridex

Canadian hospital under attack

26 March 2016

Reports on cyber-attacks don’t come to an end. Cyber-criminals seem to focus in particular on hospitals this year. In the case of the Norfolk General Hospital attackers modified the hospital’s homepage to serve the Teslacrypt ransomware to clueless visitors. The ransomware is delivered by drive-by download when the page is opened – you won’t even need to click on something on the page.

However, this does not mean that spear-phishing with malicious attachments is no longer modern. Cyber-criminals use a range of attack methods, and outdated application middleware on a server, which is connected to the Internet, is a worthwhile destination.

On Tuesday I got two spear phishing emails directly in my inbox. A short hack on VirusTotal showed that this were two zero days.

Two hours later, now at home, I analyzed the attachments in more details. Both attachments contained the same ransomware, but in different document formats. The attachments were now detected by 6 of 56 anti-malware systems on VirusTotal, e.g. by TrendMicro as W2KM_DRIDEX.YYSSH or by Avira as W2000M/Dldr.Agent.19573. That’s a reasonable result for classic anti-malware systems, although it means, that the anti-malware systems left the users unprotected for about 4 hours.

The VBA project with the auto-open macro was password protected. But LibreOffice writer was able to display the macros; it simply overrides the obviously weak VBA project protection functions of Microsoft Office.

W2KM_DRIDEX.YYSSH Code Sample

W2KM_DRIDEX.YYSSH Code Sample. Click to enlarge.

The auto-open macro creates a file dsfsdfsdf.vbe, submits the file to the C&C server, downloads an executable named Fuckyourself.ass and runs it. Fuckyourself.ass is detected as e.g. by Microsoft as Backdoor:Win32/Drixed, by ESET as Win32/Dridex.AA.

COMODO File Execution Message

COMODO File Execution Warning.

A next-gen endpoint protection solution would have containerized or blocked at least the critical event of executing dsfsdfsdf.vbe. An infection with Dridex would have been prevented. And this without any delay for updating malware patterns.

Happy Easter!

Is your help desk prepared for this type of malware?

6 February 2016

Some variants of the W2KM_DRIDEX.BM trojan behave really strange if User Account Control (UAC) is set to the highest level ‘Always notify me’. In this case the malware attempts several times to elevate its own privileges. For a detailed description of the malware see post ‘Analysis of an Undetected Dridex Sample‘ in the REAQTA blog.

Although this behavior is really annoying everything went well so far. UAC did exactly what it was designed for: Notify the user that something requests higher privileges. Without approval by the user UAC blocks further execution, thus prevents Dridex from becoming persistent.

What next? In the best case, if the user cannot elevate the program, he calls the help desk. But is the help desk staff ready for this? What’s the proper response to this challenge?

The proper response is to quarantine the computer and disinfect the system. Or tell the user to keep calm, create an incident ticket and send it to the SOC.

The worst possible response would be to approve the request by entering the credentials of a privileged account. In this case Dridex starts over, becomes persistent and the attacker can start his malicious work.

Golden Triangle of IT Security

Golden Triangle of IT Security

IT security is created by a combination of people, processes and technology. Even if processes and technology complement each other perfectly, people may become the critical factor. In particular, if helpdesk staff turnover is high, awareness training and knowledge management become a major issue.

Have a good weekend.

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

Consumers cut off from progress in endpoint protection?

23 January 2016

The Dridex banking Trojan is back from the ashes like the Phoenix. In his post ‘Dridex malware adopts redirection attacks to target high-value UK banking customers’, published on 20 January 2016 in security blog GrahamCluley, David Bisson clearly shows that the Trojan attacks banks and end users with terrifying speed.

How can end users protect themselves?

‘As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.’

To be honest, the advice to keep the anti-virus solution up-to-date creates a false sense of security. Let me give you a current example.

Last Tuesday I got an email with an attachment containing the malware ‘VirTool:Win32/CeeInject.GF’. I uploaded the attachment to VirusTotal for inspection and found that only 8 of 54 anti-virus solutions identified the malware, although the malware or a variant was first published about 9 month ago:

Table 1: Result of first scan

Table 1: Result of first scan

These are definitely not the heavyweights in the consumer market. 7 hours later only 12 of 54 anti-virus solutions identified the malware. For the development in the next days see the following table:

Table2: Changes in identification rate

Table2: Changes in identification rate

In the worst case consumers were unprotected for about 2 days. Moreover, up to yesterday evening 22 of 54 anti-virus solutions had still not identified the malware.

Advanced endpoint security tools could deal definitely better. Unfortunately the vendors of such solutions focus on the private businesses.

In the latest issue of the Cyber Intelligencer Michael Applebaum writes:

‘What the industry desperately needs is rigorous, scientifically validated third-party testing of endpoint security technologies, across a range of real-world scenarios. Invincea has been prominently calling for this and we hope to see progress in 2016 by reputable third parties.’

Even more than the industry the consumers need decision-making aids in how to protect effectively against malware. At the moment they are not participating in the progress in technology at all.

As always the user is the first and best line of defense. ‘Check twice before you click on whatever links or attachments’, is the best possible advice.

Have a good weekend, and, don’t rely too much on your anti-virus solution!

Some thoughts on ‘Dridex Reminds Us: You Can’t Prevent What You Can’t Detect’

28 March 2015

The latest Bromium post is really worth reading. Dridex is a further development of the Cridex Trojan. Dridex’s only goal is to steal your online banking credentials, to allow cyber-criminals to empty your bank accounts.

Dridex is a real beast. The developers hide the payload in Microsoft Office AutoClose macros to lever out the protection through the inbuilt sandboxing technology. If properly configured protected mode is a challenging task, but the bad guys had taken even this into account.

Michael Mimoso writes on threat post: ‘While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document.’

The first line of defense, user awareness, has failed spectacularly! If someone tries to persuade you to disable protected mode for viewing an email attachment, it is very likely that this is a cyber-attack.

Task virtualization would have protected the user in this case. But even the task virtualization has its limitations. From my point of view, well-trained users, who are aware of the dangers of the internet, are the first line of defense today. Technology supports them to stay secure

… unless the users deactivates or the attackers bypasses them.

Have a good weekend.