article / Apr 26, 2016

Dridex Update: Moving to US Financials with VNC

by Doron Voolf

Our ongoing campaign analysis has revealed that Dridex malware’s latest campaign focus has strongly shifted in recent months from U.K. banks, which had been the main targets previously, to US banks today. Dridex and its latest trends are constantly monitored in our lab, which allowed us to take note when many new targets were recently added to the target list. Redirects to fake pages were most common with U.K. bank incidents. Now the malware mainly uses classical webinjects alongside the redirection technique.

The latest campaign is marked as Botnet 301, version 196810.

Figure 1: Dridex botnet information
 

The Dridex target list was significantly expanded (129 redirect and injection directives), mainly focusing on U.S. financial institutes, form-grabbing targets on social media sites (which are also related to the United States), credit card companies, and financial investment corporations.

The most noticeable observation in the current webinjects is that most of them are accompanied by activating the VNC functionality, which enables the fraudsters to remotely connect to their victim during the credentials theft.

Figure 2: Dridex 301 targeted institutions by country
 

New Form-Grabbing Targets

Dridex also steals credentials for non-financial accounts, both over HTTP communication and HTTP over SSL (HTTPS) encrypted communication:

Figure 3: Dridex 301 form grabbing of social media information
 

There have been several targets, including:

  • Yahoo
  • Microsoft
  • Skype
  • Twitter
  • AOL
  • Facebook

How Dridex Initiates VNC Communication

VNC research conducted by malware researcher Hadas Dorfman

Dridex continues using the VNC functionality in order to remotely connect to machines to facilitate the committing of fraudulent transactions.

The VNC is used inside the redirection mechanism, which was described in our previous article, Dridex Botnet 220 campaign.

The following is a snippet of a classical Dridex webinject:

Figure 4: Dridex 301 classical webinject
 

When the site's URL matches the URL regex in the webinject, Dridex will inject another “script” tag into the original response from the bank. This will cause the browser to issue a request for the JavaScript script mentioned in the “src” ("scripts/contextprov23.js").

As a result, the request for the script is generated with the domain of the targeted site.

For example, if the targeted site was mybank.com, the request for the script that was generated would be "mybank.com/scripts/contextprov23.js".

When the request for this script is generated within the browser, it is intercepted by the malware's network hook and is passed to the redirection mechanism, as seen in Figure 5.

Figure 5: Dridex 301 redirection directive
 

When the requested script is checked against such a redirection directive and there is a match, the request for the script is dropped and the same script request is launched to a different domain (the “URI” directive), so the script is actually fetched from the fraudster’s server.

During the redirection mechanism, the VNC flag (part of the redirect directive in the malware configuration) is checked, and if it’s true, the VNC module is launched. This triggers the browser network hook to deliver a message to the Dridex worker module inside the explorer.exe process. This message signals the worker module to launch the VNC module.

The module “vnc_x32” (or “vnc_x64” for 64-bit systems) is responsible for the VNC functionality. It exports: “VncStartServer” and “VncStopServer” functions to operate this activity.

While the Dridex worker module inside the explorer.exe process receives the message to launch VNC, the “VncStartServer” function address is resolved and the appropriate function is called.

Static Code Analysis Of A “Vncstartserver” Call:

Figure 6: Dridex 301 VncStartServer static view
 

Runtime Debugging View:

Figure 7: Dridex 301 VncStartServer runtime view
 

Once the VNC server is started, the fraudster is able to remotely connect and use the victim’s machine.


Tested MD5: f6a9835201d5cae894863a46bbf12d69


About F5 Labs

F5 Labs combines the expertise of our security researchers with the threat intelligence data we collect to provide actionable, global intelligence on current cyber threats—and to identify future trends. We look at everything from threat actors, to the nature and source of attacks, to post-attack analysis of significant incidents to create a comprehensive view of the threat landscape. From the newest malware variants to zero-day exploits and attack trends, F5 Labs is where you’ll find the latest insights from F5’s threat intelligence team.

MODIFIED: Jul 06, 2017

Tags: , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.