Dridex Returns With Windows UAC Bypass Method

Dridex banking malware returns with a new bypass technique that allows the malware to execute without triggering a Windows UAC alert to the user.

After a six-month hiatus, the Dridex banking malware is back and targeting large financial institutions in the U.K with a new technique that can bypass Windows User Account Control (UAC).

Researchers at Flashpoint said they have seen small phishing and spear-phishing campaigns targeting specific recipients with messages containing macros in document attachments that download Dridex. The attachments purport to be tax documents or electronic fax confirmations. The campaigns are smaller than previous Dridex campaigns that infected millions of machines.

“So far the campaigns have been successful and are responsible for infecting thousands of systems,” said Vitali Kremez, senior intelligence analyst at Flashpoint.

Dridex campaign metrics reveal intermittent activity since its peak in May 2016. Source: Flashpoint

Once systems are infected, the UAC bypass allows the malware to execute without a user having to allow the behavior. The UAC bypass is characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via a impersonated SPP[.]dll, according to a technical analysis of the malware by Flashpoint.

The Dridex malware consists of two modules. There is the initial dropper module that downloads the main one. Post the initial infection, Dridex goes on the move by deleting itself from its initial download directory after copying itself to the Windows system %TEMP% directory. Here Dridex executes commands that copies the recdisc[.]exe binary from Windows\System32\recdisc[.]exe and loads it into a new directory it creates called Windows\System32\6886.

“In Windows there are certain default binaries and applications that are stored in the System32 directory. Those applications are whitelisted for automatic elevation (of system privileges). What that means is that Windows needs those applications to run at the highest possible privileges. So, those applications are not requires to ask the user ‘do you want to run this application,'” Kremez said.

This allows Dridex – and functions associated with it – to run silently on targeted PCs within the Windows\System32\6886 directory. “From Windows’ perspective Dridex is now a trusted application with the highest privileges in Window’s protocol,” he said.

The attack works against fully patched Windows 10 and previous Windows versions, Flashpoint said.

The next phase of a Dridex attack includes creating a firewall rule by allowing ICMPv4 listeners for peer-to-peer protocol communications on ports 4431-4433. “In this instance, peers are other enslaved Dridex victims,” Kremez remarks.

As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information.

“Dridex is a very modular Trojan,” Kremez said. “The malware will take advantage of opportunities as they present themselves, like harvesting credentials, cookies and saved passwords. Attackers may also establish a remote desktop protocol module and attempt further network penetration.”

Suggested articles

Discussion

  • Jared Van Leeuwen on

    Is it able to execute the programs is the user is not running as an Administrator?
  • M. Smoot on

    Good Morning Tom, nice write up. Noticed however that your article notes, "The attack works against fully patched Windows 10 and previous Windows versions, Flashpoint said." Can you point me to where this ref was taken from? I reviewed the Flashpoint hyperlink (Jan 26) you listed and it only makes ref to Win 7. Thanks!
  • Justin on

    Question. This: "Here Dridex executes commands that copies the recdisc[.]exe binary from Windows\System32\recdisc[.]exe and loads it into a new directory it creates called Windows\System32\6886." In order to create the new directory and copy itself within the Windows directory, it would need elevated privilages. Does the infection require initial elevation by the user?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.