Dridex Banking Trojan Bans Suspicious Hosts and Adds Crypto-Currency Wallets to its Hit List

Recent samples of the notorious and perilous Dridex banking Trojan revealed that its newer versions will be able to steal cryptocurrency wallets` credentials in the near future.

Dridex, aka Cridex or Bugat, is the name of both the banking Trojan and its botnet, used for other illegal activities like sending spam messages.

The Dridex gang is, without a doubt, one of the most dangerous and professional cybercriminal groups. The developers of this banking Trojan are working non-stop to constantly update their product`s source code with new features and prevent it from being detected by security programs.

A recent study, conducted by the Forcepoint security company, revealed some of the low-level code changes which helped Dridex stay under the radar of security software during the last couple of month. The report also highlights some aspect about the Trojan`s future.

One of the most important and noticeable changes is in regards to the configuration file of Dridex. While before it was transmitted from the C&C server to its victims in a creartext XML life, now, it is in an encrypted binary format.

However, the most interesting and attention-catching change is that the Trojan now has the ability to ban suspicious hosts.

Dridex doesn’t attack its victims bluntly. It is way more sophisticated than that. First, the initial infection Trojan – Dridex loader, gathers information about each host, including the PC`s name, OS type, version and installation date, and system information like the list of installed software. Then all this information is sent to the Dridex servers.

Whit this information Dridex builds a database of users. The Trojan`s developers have realized they could only use this database to find users with security-related and reverse engineering software installed on their machines.

And now, in newer Dridex variants, the banking Trojan`s authors have blacklisted certain workstation. That’s why recent the recent variants won`t send the main Dridex infection payload in the PC appears in one of the blacklists.

According to Forcepoint, this blacklist is applied based on installed software list. However, it is enforced only based on the computer’s username and OS installation date, still allowing security experts to get around it.

Moreover, this banning feature is not the only unique one. Dridex`s devs are now gearing up for a second one – integrating Bitcoin wallets.

Researchers from Forcepoint say that the malware authors are currently scanning targeted machines for the names of popular crypto-currency wallets. Dridex already has the ability to log credentials for online banking portals, PoS software, and professional backend banking software. And now, given the fact it is building a database of the most popular crypto-currency wallets, there is a high chance that its future versions will be able to steal Bitcoins and other digital currencies.

However, users should keep in mind that alongside the popular names of Bitcoin wallets like Coinbase, Bitcore, CoinsBank, BreadWallet, the Trojan also scans the for names of other applications. Below is a list of the Bitcoin and crypto-currency wallets newer versions of Dridex are scanning for.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.