• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   DRIDEX Poses as Fake Certificate in Latest Spam Run

DRIDEX Poses as Fake Certificate in Latest Spam Run

  • Posted on:June 1, 2016 at 5:00 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

By Michael Casayuran, Rhena Inocencio, and Jay Yaneza

At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat has always been active in the computing landscape. Last May 25, 2016, we observed a sudden spike in DRIDEX–related spam emails after its seeming ‘hiatus.’ This spam campaign mostly affected users in the United States, Brazil, China, Germany, and Japan.

dridex spam affected countries

Figure 1. Top countries affected by DRIDEX-related spam emails (May 25, 2016)

There are significant differences from this particular DRIDEX campaign as opposed to its previous waves. Instead of the usual fake invoice or notification baits, DRIDEX plays on people’s fears of having their accounts compromised.  Besides the change in email subjects, DRIDEX also has new tricks up its sleeves. On top of its macro usage, it also leverages Certutil, a type of command-line program in relation to certificate services, which can be used to decode the base 64-encoded file disguised as PFX. These two elements (use of macros and Certutil) combined together can add to DRIDEX’s prevalence and pose challenges to detection.

Banking on fear

Let’s take a look at the spam run that the cyber crooks used in this particular case. The email message bears the subject, Account Compromised and contains details of the supposedly logon attempt, including the IP address to make it look legitimate. The spammed message is almost believable except for that one missing crucial detail. It doesn’t have any information on what type of account (email, bank, social media accounts etc.) is compromised.  This type of notification typically mentions the account type that a remote user attempts to logon.

Perhaps, these cybercriminals are banking on scare tactics to move you into opening the .ZIP file attachment, which supposedly has the full report. If you are prompted to open this attachment, you will see a blank document instructing you to enable the macros. This, of course, will kick start the DRIDEX infection chain on the system.

accountcompromisedspam

Figure 2. Sample spam

Based on our research, the spam runs of DRIDEX have semblances with Locky ransomware with its use of macros and identical email templates.

Leveraging Certutil

In the height of ransomware-related spam, you may think that DRIDEX has lost its visibility in the threat landscape. But with its new tactics such as the use of Certutil and Personal Information Exchange (.PFX) file, a type of file used by software certificates in storing public and private keys, DRIDEX may regain its spot again as top online banking threat.

There are slight changes in this particular DRIDEX spam run. When you open the .ZIP file attachment and the word document, a .PFX file is dropped. However, this won’t necessairly run on your system because it’s encrypted. This is where Certutil comes in, decoding a base64-text file to convert the .PFX file to .EXE file. When the .PFX file is finally converted into an executable file, DRIDEX infects your system.

Perhaps, you are wondering why these cybercriminals added another layer in infecting systems.  Since the file dropped is initially in .PFX format, it enables DRIDEX to bypass detection. As such, this poses challenges in detecting and mitigating DRIDEX. Prior to this new wave, the use of macros enables the threat to bypass sandbox technologies. This clearly indicates that DRIDEX is leveling up its ante to remain a prevalent online banking threat.

What can users and organizations do?

Despite DRIDEX’s prevalence, users and organizations can do simple preventive measures such as not opening attachments and enabling macros when you receive emails from unknown sources.  When you get emails about compromised accounts, check and verify first the source. It is always best to examine first the email message before doing any action. On the other hand, enterprises can create policies that will block off email messages with attachments from unknown sources.  It also recommended that they educate their employees about this type of security threat and what to do when they encounter one. Trend Micro endpoint solutions such as Trend Micro™ Security,  Smart Protection Suites, and Worry-Free™ Business Security can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. On the other hand, our Trend Micro Deep Discovery that has email inspection layer can protect enterprises by detecting malicious attachment and URLs. As such, it can prevent systems from being infected with DRIDEX.

Our TippingPoint users are protected from this threat via the following MainlineDV filter:

  • 24747: TLS: Malicious SSL Certificate Detected (TSPY_DRIDEX.YVD)

Our appendix contains details of related SHA1 hashes, detections, and list of malicious URLs.

Additional analysis by Lala Manly

Updated on June 7, 2016, 12:50 AM (UTC-7)

We updated this entry to revise details on the possible impact of leveraging Certutil in the said attack.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: DRIDEXonline banking threatsspam outbreak

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.