Fresh Dridex Samples Hint at Possibility for Cryptocurrency Wallet Credentials Theft
The Dridex banking Trojan, the direct descendant of the Cridex banking malware, looks like it will be around a while longer. The latest efforts of security researchers from Forcepoint, who analyzed recent samples of Dridex code, indicate that there may be some important changes to Dridex in the future.
Dridex was initially a banking Trojan that steals information, including login details, through HTML injection. It is a large-scale operation and not just any random Trojan coded by a guy in his basement. Dridex is a large, coordinated effort conducted by cybercriminals who continuously update and develop extra features in an effort to stay ahead of security researchers.
Dridex Adds New Layer to Evade Security Researchers
The newest analysis of Dridex samples points to code alterations on a low level, in an ongoing effort to avoid security researchers and software suites. One of the One of the major changes is the way new Dridex iterations transmit their configuration file. Previously, this was done using cleartext (or un-encrypted) XML. Now, Dridex uses encrypted binary, which doesn't make the threat a tougher nut to crack, it also means Dridex can selectively blacklist certain hosts.
The method of operation Dridex employs includes a module called a loader. The loader is the first component of the Trojan, which scrapes information about the host, then transmits that information to the Dridex servers. The collected data includes the type of OS, OS version, date of installation, as well as a full list of installed software. Using this information, the Trojan can pick out machines that are security researcher VMs or systems loaded with security-related software, then blacklist them. Once a host is blacklisted, the main infection payload of Dridex is never transmitted to the host.
Security researchers remain positive about their future efforts in combating Dridex, because, even though the list of installed software is used to blacklist host machines, the ban is only enforced in practice depending on the OS installation date and computer's username. This gives hope that the struggle against the cybercriminals that maintain Dridex will remain on a level playing field.
Bitcoin and Other Cryptocurrency Wallets Face New Threat With Dridex
The other major new feature Dridex seems to be pushing towards is hitting cryptocurrency wallets. As explained in recent Forcepoint reports, Dridex now scans its host system for the names of commonly used cryptocurrency wallets. Such actions are an obvious indication that the criminals behind the Trojan intend to start actively stealing Bitcoin and similar digital currencies.
There is already code that seeks the names of widely used Bitcoin wallets such as CoinsBank, BreadWallet, Coinbase, Electrum, and Bitcore, to name a few. The full list is contained in a code block excerpt from the Trojan and contains another couple dozen Bitcoin wallet names as well as other software and terms, related to banking and Bitcoin.