IntroductionMalware authors use various means to make their malware look similar to legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently we saw Dridex malware authors using this technique while reviewing the samples in our Cloud Sandbox. Dridex is a banking Trojan which typically arrives to a system via malicious spam email with a Microsoft Office file as an attachment. These files will have embedded macros that lead to the download and installation of the Dridex Trojan. Dridex then attempts to steal the victim's banking credentials and system information.
Signed Dridex campaignHere we came across one malicious attachment with an encrypted macro that downloads signed Dridex samples from 18.104.22.168/bt/bt/sti[.]php. This Dridex sample is packed using a custom packer, which is is compiled with .NET. The current Dridex is signed with a certificate that is issued to Private Person Parobii Yuri Romanovich. This certificate as been specially created for spreading the Dridex malware.
- PJSC "BIZNES AVTOMATYKA
- AVTOZVIT Scientific Production Private Company
- Private Person Parobii Yuri Romanovich
- 22.214.171.124/bt/bt/sdp [.] php
- 126.96.36.199/bt/bt/sti [.] php
- 188.8.131.52/bt/bt/ched [.] php
- 184.108.40.206/bt/bt/freda [.] php
- 220.127.116.11/bt/bt/stata [.] php
- 18.104.22.168/bt/bt/chdid [.] php
- 22.214.171.124/bt/bt/grtes [.] php
The Dridex sample is embedded in the resource section of the packer. After unpacking, it drops a Borland Delphi executable file. The following is the snapshot of encrypted resource section:
|Encrypted Resource Section|
The current Dridex sample tries to connect to different IPs included in the config file. The config file for the sample is embedded in the sample itself. In the config file we observed a botnet ID and list of C&C servers. Below is a snapshot of config file:
- Computer Name
- User Name
- Windows Version
- Botnet ID
|Information sent to the server|
The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples. Zscaler ThreatlabZ is actively monitoring these signed malware campaigns and ensuring coverage for our customers.