Dridex Is Back, Uses New Windows UAC Bypass Method

January 30, 2017

Banking malware Dridex is back and it’s worse, targeting British financial institutions with a new technique that has the capability of bypassing Windows User Account Control.

Researchers at security firm Flashpoint detected small phishing and spear-phishing campaigns targeting specific recipients. The messages contained macros in document attachments that allowed the download of the Dridex malware.

This User Account Control (UAC) bypass method had gone unobserved until now, the company says. It uses recdisc.exe, which is a Windows default recovery disc executable, while loading of malicious code via impersonated SPP.dll.

Recdisc is one of the applications that is automatically elevated by Windows 7, which makes it even harder to observe by Windows users, especially since it is automatically included on the white-list of applications that are subject to auto-elevation. By riding this particular train, Dridex can bypass UAC in no time.

How it works

First, the malware creates a directory in Windows\System32\6886 and then it copies the legitimate binary from recdisc to this folder. Dridex then copies itself to %APPDATA%\Local\Temp as a tmp file and moves itself to Windows\System32\6886\SPP.dll.

The malware continues to work by deleting any wu*.exe and po*.dll files from System32, executes recdisc.exe and loads itself as impersonated SPP.dll with admin privileges.

Dridex then bypasses UAC by copying the recdisc executable into the new 6886 folder. A script executes the cmd batch file and then Dridex creates a new firewall rule. This new rule allows ICMPv4 listeners for P2P protocol communications in %AppData%\Local\Temp.

Spreading efficiently

Thousands of systems have been infected already and the malware acts as it has done in the past – by monitoring a victim’s traffic to bank sites, collecting login credentials and account information.

Read full story…