Flashpoint security experts have recently stumbled across a new variant of the notorious Dridex banking Trojan which is leveraging a new tactic to go around the User Account Control (UAC).
Dridex is one of the most widely spread banking Trojans. It was first noticed in 2014 and it was most active between then and 2015. In 2016, researchers only observed much smaller Dridex campaigns.
Dridex`s latest variant, observed by the Flashpoint security firm, is going after UK-based financial institutions. According to the experts, the Trojan is now using a “previously-unobserved” UAC bypassing technique that relies on Windows default recovery disc executable recdisc.exe.
“On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.” – reads the analysis published by Flashpoint – “Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.”
This version of the Dridex banking Trojan is using spoolsrv and svchost to communicate with peers and the first layer of the Command and Control (C&C) server. For the Trojan`s distribution, the crooks are relying on spam email messages with malicious Word documents attached. These documents embed macros which, when enabled, download and install the Dridex Trojan. Once executed, Dridex moves itself to the %TEMP% folder.
“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself.” – continues the analysis.
Dridex uses the Windows default recovery disc executable “recdisc.exe” to load an impersonated SPP.dll with administrative privileges and bypass the UAC protection on Windows 7.
In order to go around the UAC, the Trojan creates a directory in Windows\System32\6886 and then copies the legitimate binary from Windows\System32\recdisc.exe to it. Next, it copies itself to %APPDATA%\Local\Temp as a tmp file and moves itself to Windows\System32\6886\SPP.dll.
At last, Dridex deletes wu*.exe and po*.dll from Windows\System32, executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.