PINDROP BLOG

Dridex Trojan Using New Method to Bypass Windows UAC

Researchers have found a new version of the old Dridex banking Trojan that is being used in a fresh campaign in the U.K. and employs a novel technique to bypass one of the key security safeguards in Windows.

Dridex has been around for nearly three years and is descended from the GameOver Zeus Trojan, one of the graybeards of the banking malware community. The Dridex Trojan has a number of advanced capabilities, including the ability to steal banking credentials from compromised machines. Dridex usually comes in email messages with infected Word documents.

“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” Vitali Kremez of Flashpoint wrote in an analysis of the malware campaign.

One of the additions in the latest version of Dridex, which Flashpoint said has been used in a relatively small campaign in the U.K., is a feature that allows it to bypass the User Account Control feature in Windows. UAC is one of the mechanisms that Windows uses to prevent malware from gaining control of key processes and applications. Bypassing it gives Dridex a privileged position on infected PCs.

“Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll,” Kremez said.

“Windows 7 automatically elevates a hand-picked list of applications, one of them being recdisc, which further reduces the UAC dialogs a Windows user observes. These applications are referred to as being white-listed for auto-elevation. Dridex leverages this feature to bypass UAC.”

The Dridex malware also uses the peer-to-peer architecture favored by many banking Trojans, which makes it difficult for security researchers to find and sinkhole the command and control servers.

Image: Bruno Girin, CC By Sa license.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed