Hackers are now using the Log4j exploit to install vulnerable devices with Dridex banking malware. Dridex is a veteran banking trojan, originally created to steal online banking credentials. Dridex has evolved into a loader that can download various modules that can be used for different malicious behavior, including installing additional payloads, spreading to other devices, taking screenshots, and more.
Dridex is usually linked to the Evil Corp hacking gang, and has led to a number of ransomware infections. These infections include BitPaymer, DoppelPaymer, and possibly other limited-use ransomware variants.
This week, cybersecurity researchers with Cryptolaemus warned that Log4j is now being used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.
Cryptolaemus member Joseph Roosen told reporters at BleepingComputer that the threat actors use the Log4j RMI (Remote Method Invocation) exploit variant to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server.
When executed, the Java class will first attempt to download and launch an HTA file from various URLs, which will install the Dridex trojan. If it cannot execute the Windows commands, it will assume the device is running Linux/Unix and download and execute a Python script to install Meterpreter.
Running Meterpreter on a Linux box will provide the threat actors with a remote shell that they can use to deploy further payloads or execute commands.
On Windows, the Java class will download an HTA file and open it, which will cause a VBS file to be created in the C:\ProgramData folder. This VBS file acts as the main downloader for Dridex and has been seen previously in other Dridex email campaigns.
Using Meterpreter, the threat actors can connect to the compromised Linux server and remotely execute commands to spread further on the network, steal data, or deploy ransomware.
With Log4j exploited by threat actors to install a wide range of malware, it comes as no surprise that the more active malware operations would begin to target the vulnerability.
Dridex Banking Malware Analysis
Note: This analysis was provided by AnyRun.
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Thanks to constant evolution, Dridex currently supports very advanced functions like the Atom Bombing injection technique, web injects into Chrome, and Microsoft Word zero-day exploit which helped the Dridex malware to make its way into countless machines despite available removal tools.
Dridex is classified to be the evolution of the GameOver ZeuS, borrowing a C&C architecture from this virus and further improving upon it, making control servers very hard to pinpoint. The Dridex banking trojan also features similarities to other malware – CRIDEX and Bugat. However, while the latest relies mostly on vulnerabilities as an attack vector, Dridex also uses mail spam to infect the machines of its victims.
According to US and UK law enforcement organizations uncovered the identities of people behind Evil Corp — the cybergang that developed Dridex and several other malicious programs. Maxim Yakubets who is living in Moscow is suspected to be the group’s leader. He has been seen driving a Lamborghini Huracan with a number plate that reads “thief” in Russian.
As a result of the investigation, the US Department of State has announced a $5 million reward for turning in Yakubets. This is the largest reward ever offered for a cybercriminal.
The spike in the popularity of the Dridex trojan was recorded in the period between its first spotting in the wild until the year 2015. The subsequent malicious campaigns were fewer in number and perhaps not as global as the ones observed before 2015.
Usually, the malware targets victims in Europe with over half of recorded infections taking place in the UK, though, German, French, and US users are also in danger. Notably Dridex banking trojan never attacks victims in the Russian Federation, which could indicate that the group behind this threat comes from this country.
Dridex is one of the most popular banking trojans in the world, placing at the seventh spot out of the top ten most widely spread viruses of this type by the number of infections in 2015, according to the data of flashpoint-intel.
The malware can perform a series of data-stealing actions including Form-grabbing, screenshot taking, and site injections. This allows Dredex to steal sensitive data such as logins and passwords when the victim logs into their banking account. This data can then be used by the attackers in future campaigns or sold to other criminals.
In addition, the malware is capable of taking screenshots, allowing hackers to collect personal information about the victim. What’s more, the malware is able to change the content of web pages that the user is viewing using web-inject techniques, so when the user enters his login and password, instead of logging into a personal account this sensitive data is sent directly to the attackers.
Dridex trojan uses a Botnet as a Service operation model which entitles that infected PCs can become attack sources for future campaigns. This helps the malware to spread more efficiently and makes its attacks more global.
Some of the previous versions of this malware used to have a fairly unique persistence mechanism which researchers called “invisible”. It was dubbed so because the malware’ dynamic link library (DLL) was saved on a disk, and a registry value was generated to run the malicious DLL at system startup just only before the PC would be turned off.
The new version of Dridex’s maldocs contains hundreds of URLs from which to download the malware. This approach makes malware hard to take down by hosting providers, removal tools, and domain registers. It also increases the chances of downloading the payload. Security controls need to block a big number of URLs to prevent the malware from being downloaded.
Dridex was once again updated and stopped using the debug output message loop. Malware actors also switched their defense evasion technique from the usage of XSL Script Processing (ID T1220) to Signed Binary Proxy Execution using Rundll32 (ID T1218.011).
During 2020 the “team” behind Dridex heavily used Excel malicious documents with Macro 4.0 in its campaigns. Often these maldocs checked the language of the system in which they were opened and quit execution if it didn’t match.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.