The infamous and proliferate banking Trojan Dridex has been constantly evolving and is slated to soon become capable of targeting crypto-currency wallets. Security researchers have noted that recent versions of Dridex also blacklist computer configurations commonly used by security researchers, in efforts to avoid detection.
According to cybersecurity firm Forcepoint, the cybercrime syndicate likely behind the noxious trojan has made several low-level changes to Dridex in efforts to avoid detection by security researchers and malware identifying software. Additionally, the changes made to the code indicate the future capabilities of the Trojan.
Redscan lead penetration tester Robert Page told IBTimes UK: "Dridex is constantly evolving to continue its objective of collecting financial information whilst remaining undetected. Given the increased usage of Cryptocurrency, it's not surprising it's also attempting to gather this type of currency.
It's interesting the malware has improved to prevent analysis by security researchers. Although the anti-sandbox features have been reverse engineered by security researchers in this instance, most likely the malware will continue to improve in future."
Dridex blacklisting security researchers' computers
Detecting Dridex has been a significant challenge for security researchers, especially since the Trojan's infection techniques are not straightforward. The Dridex loader, which is the initial infection tool, first scans victims' systems, collecting information including computers' name, type and version of OS (operating system) and more. The Trojan then sends the information to the C&C (command and control) servers.
Forcepoint said: "It has now become trivial for the Dridex operators to blacklist these machines in an attempt to prevent them from obtaining the core module and list of peers. This makes it more difficult for automated analysis systems to find and block the appropriate IPs. During our recent analysis we noticed that one of our VMs had been blacklisted based on its user name and operating system installation date, which of course was trivial for us to bypass once we knew what was going on."
Dridex targeting crypto-currency wallets
Dridex's main configuration files have also been modified to include a list of banking websites from which attackers can steal data and inject code when infecting a user's browser.
Besides, Dridex developers have now begun scanning victims' systems, checking for names of popular Bitcoin and crypto-currency wallets.
"Dridex contains two distinct lists for targeting software that is installed on the current system. These lists have gradually expanded over the months and years, and now include back-end payment and point-of-sale software, online banking software, and a recently added list of crypto-currency wallet managers," Forcepoint said.
ESET security specialist Mark James said: "In the early days malware was fairly rigid in its duties and its ability to adapt but now we often have a very sophisticated piece of code that not only evolves but is able to adapt to current trends for better efficiency. The Dridex banking Trojan is doing exactly that, where previously its victims were POS and banking systems it is now acquiring crypto-currency targets to further its attack footprint. These digital currencies have been a common target lately with some huge breaches involving millions of dollars stolen."
Jonathan Sander, VP of product strategy at Lieberman Software, said: "The Dridex Trojan being upgraded like enterprise software is no surprise in today's professional cybercrime world. Cybercrime makes hundreds of billions in revenue for the bad guys. Some say it's more profitable than the drug trade. Is it any wonder that organized crime has set up operations just as sophisticated as any enterprise software?"
Sander said cybercriminals are now actively pursuing approaches that can help boost their profits. "But the bad guys aren't just on the defence, they're also pushing out new attacks with their team of cybercrime professionals," he added.
"Unlike legitimate software that tells you about the features, though, their new features are new ways to silently pick your virtual pocket and steal your virtual wallet – literally. It's a cyber arms race where we attempt to detect and respond as quickly as possible and they attempt to be evasive to the point of invisibility so we never see them coming."
According to Sander, cybercrime is no longer the work of "lone-wolf" hackers hunkered in front of "a messy desk in a basement". He added: "In truth, today the bad guys would fit right into the Dilbert cartoons. These are professionals developing software in offices with paychecks, benefits, and normal lives. It's their organised crime bosses that are really different."