DRIDEX Poses as Fake Certificate in Latest Spam Run

By Michael Casayuran, Rhena Inocencio, and Jay Yaneza

At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat has always been active in the computing landscape. Last May 25, 2016, we observed a sudden spike in DRIDEX–related spam emails after its seeming ‘hiatus.’ This spam campaign mostly affected users in the United States, Brazil, China, Germany, and Japan.

dridex spam affected countries

Figure 1. Top countries affected by DRIDEX-related spam emails (May 25, 2016)

There are significant differences from this particular DRIDEX campaign as opposed to its previous waves. Instead of the usual fake invoice or notification baits, DRIDEX plays on people’s fears of having their accounts compromised.  Besides the change in email subjects, DRIDEX also has new tricks up its sleeves. On top of its macro usage, it also leverages Certutil, a type of command-line program in relation to certificate services to pass it off as a legitimate certificate. Combine these two elements together (use of macros and Certutil) can add to DRIDEX’s prevalence and pose challenges to detection.

Banking on fear

Let’s take a look at the spam run that the cyber crooks used in this particular case. The email message bears the subject, Account Compromised and contains details of the supposedly logon attempt, including the IP address to make it look legitimate. The spammed message is almost believable except for that one missing crucial detail. It doesn’t have any information on what type of account (email, bank, social media accounts etc.) is compromised.  This type of notification typically mentions the account type that a remote user attempts to logon.

Perhaps, these cybercriminals are banking on scare tactics to move you into opening the .ZIP file attachment, which supposedly has the full report. If you are prompted to open this attachment, you will see a blank document instructing you to enable the macros. This, of course, will kick start the DRIDEX infection chain on the system.

accountcompromisedspam

Figure 2. Sample spam

Based on our research, the spam runs of DRIDEX have semblances with Locky ransomware with its use of macros and identical email templates.

Leveraging Certutil

In the height of ransomware-related spam, you may think that DRIDEX has lost its visibility in the threat landscape. But with its new tactics such as the use of Certutil and Personal Information Exchange (.PFX) file, a type of file used by software certificates in storing public and private keys, DRIDEX may regain its spot again as top online banking threat.

There are slight changes in this particular DRIDEX spam run. When you open the .ZIP file attachment and the word document, a .PFX file is dropped. However, this won’t necessairly run on your system because it’s encrypted. This is where Certutil comes in, decoding a base64-text file to convert the .PFX file to .EXE file. When the .PFX file is finally converted into an executable file, DRIDEX infects your system.

Perhaps, you are wondering why these cybercriminals added another layer in infecting systems.  Since the file dropped is initially in .PFX format, it enables DRIDEX to bypass detection.  Both .PFX and Certutil are leveraged to pass off the malicious file as a legitimate certificate. And once systems recognize/consider this fraudulent certificate/malicious file as a legitimate certificate, similar instances of that will no longer be blocked or detected anymore. As such, this poses challenges in detecting and mitigating DRIDEX. Prior to this new wave, the use of macros enables the threat to bypass sandbox technologies. This clearly indicates that DRIDEX is leveling up its ante to remain a prevalent online banking threat.

What can users and organizations do?

Despite DRIDEX’s prevalence, users and organizations can do simple preventive measures such as not opening attachments and enabling macros when you receive emails from unknown sources.  When you get emails about compromised accounts, check and verify first the source. It is always best to examine first the email message before doing any action. On the other hand, enterprises can create policies that will block off email messages with attachments from unknown sources.  It also recommended that they educate their employees about this type of security threat and what to do when they encounter one. Trend Micro endpoint solutions such as Trend Micro™ Security Smart Protection Suites, and Worry-Free Business Security can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. On the other hand, our Trend Micro Deep Discovery that has email inspection layer can protect enterprises by detecting malicious attachment and URLs. As such, it can prevent systems from being infected with DRIDEX.

Our TippingPoint users are protected from this threat via the following MainlineDV filter:

  • 24747: TLS: Malicious SSL Certificate Detected (TSPY_DRIDEX.YVD)

Our appendix contains details of related SHA1 hashes, detections, and list of malicious URLs.

Additional analysis by Lala Manly

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

DRIDEX Poses as Fake Certificate in Latest Spam Run

Read more: DRIDEX Poses as Fake Certificate in Latest Spam Run

Story added 1. June 2016, content source with full text you can find at link above.