The number of cybersecurity attacks caused using malware is on a steady rise, making it a major security concern, especially for enterprises. Hackers used malware for the Sony attack and have since perpetrated countless other attacks using new families of malware. To protect themselves, enterprises are increasingly using Cloud Access Security Brokers (CASBs) to detect malware presence in files uploaded and downloaded from cloud services. In one such case, Skyhigh was able to detect documents that contained malicious code connected to a new variant of the Dridex malware within an enterprise customer’s file sharing deployment.

What is Dridex Malware

Dridex gained notoriety in 2015 as the financial malware. It specializes in stealing online banking credentials and spreads primarily using phishing emails that contain Office documents with macros containing malicious code. When the user opens the attachment, the macro executes to download the executable file from a remote location. This file runs to retrieve the ‘manager file’, which is responsible for stealing user information.

Once the malware is fully executed and running in the infected user’s system, it steals and exfiltrates sensitive user data in several ways. It uses DNS cache poisoning to redirect users to a fake website when users search for one of the targeted banks. Then when the user enters login credentials, the site asks the user to enter the two-factor authentication codes, which are collected by the malware and sent back to the C&C server, thereby giving attackers complete access to the online banking account. The malware also captures user data from a number of sources including HTML form fills, screenshots, and user browsing history, giving the attackers access to email and social media account credentials.

How Dridex Works – A Technical Deep Dive

The Dridex emails are cleverly written to compel users to click the link that downloads the executable file (information source link here).

 

The unpacked malware then copies itself to appdata as “googleupdaterr.exe” and executes. Upon execution, it creates a run entry so it can survive system reboots.

 

 

Dridex is engineered in a modular fashion, with each module having a specific function. For example, the ‘0y2hgif34’ module has a loader component, which is injected into other processes responsible for executing other modules. The ‘4qvndmku0’ module is used to hook into the user’s browser to perform send and receive functions. All modules are embedded in the resource section of the binary.

 

In order to steal financial credentials, Dridex has hooks specific to each browser, so it sees both http and https connections. For example, the Firefox hooks are:

  • PR_Read
  • PR_Write
  • PR_Close

(present in NSPR4.DLL or NSS3.DLL)

 

 

For Internet explorer, here are the hooks, which are present in winnet.dll:

  • ICSecureSocket::Send_Fsm
  • ICSecureSocket::Receive_Fsm

 

For all activities that Dridex performs, it receives instructions from its command and control server in a config file. Among other things, these instructions provide information on which banking URLs the malware should monitor (information source link here).

 

 

When a user logs into one of the monitored banking sites, Dridex redirects the user to its own phishing site in order to capture the credentials. While some Dridex variants, such as the one recently discovered by Skyhigh, have these phishing links hardcoded.  Others have a Domain Generation Algorithm (DGA), which redirects the user to the C&C server.

 

CASB Malware Detection

Dridex actors target user systems in many ways – email attachments, file sharing services, and injection from targeted sites. Skyhigh detected a variant of this malware in multiple files uploaded to the company’s cloud file sharing service and quarantined them, as per remediation policies. It is possible that users got infected via a phishing email and ended up uploading the file via desktop sync or a bulk upload of multiple folders. File sharing services can be a mode of transmission for malware as folder contents are often set to sync down to user endpoints.

Skyhigh’s malware scanning leverages multi-stage threat detection powered by machine learning and behavioral analysis, reputation and feed analysis, and static and payload analysis to adapt to evolving malware and new threat techniques, including evasion tactics. In addition, the inspection environment contains an adaptive array of sandboxes that ensures that highly evasive malware displays its behavior and true intent for effective detection.  Using these tactics, Skyhigh was able to identify the new zero-day malware variant that bypassed the native signature-based detection systems of the cloud file sharing service.

A recent Ponemon report found that the cost of cybercrime has doubled since 2010 and the minimum cost to the company was $1.9 million and the maximum cost is as much as $65 million. Enterprises are increasingly looking at Cloud Access Security Brokers (CASBs) to address malware concerns especially within cloud services. In addition to scanning files uploaded to cloud services, CASBs also enforce device based controls to prevent uploads of files from personal devices, which can have a higher incidence of malware infected files since they often lack endpoint protection. And finally, CASBs provide IT teams with visibility into risky cloud services used within the company so they can enforce restrictions to prevent potential malicious downloads and strengthen their security posture.