Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
The Dridex infection chain looks at how the malware has evolved over the past few years and how it has been used to weaponise the Excel-DNA framework. We are looking at how drug dealers in Eastern Europe have shifted to using Dridex as a mechanism for delivering expensive drugs such as cocaine.
This is a case study on an example of how criminals are using new technology in order to create new methods of infection, evolve their practices, and target less well-protected individuals.
One of the most notable features of Dridex is its ability to spread through Word documents, with attackers using this as a means of delivering their malware to unsuspecting victims. These are often marked up using macro-enabled languages, though they can also be plain text document in order to hide the nature of the file from users. Once opened, a Word document containing Dridex is injected into the victim system by exploiting a flaw in how Microsoft applications handle .dotm files (a format used for embedding images). Once infected, the victim machine becomes part of a botnet that can be used by the criminals to steal bank account details and send spam e-mails.
However, since late 2014, we have seen Dridex being used as a delivery mechanism for expensive drugs such as cocaine instead of bank account details. How is this possible? Well, Dridex is now capable of exploiting Microsoft Office vulnerabilities in order to open an HTA file (a format designed to display HTML content on Windows systems). Within this file is a Visual Basic script that downloads the final payload which is an HTA file containing custom code designed to exploit vulnerabilities in Internet Explorer and Office on the victim's machine.
Once executed, the victim's system is compromised by a malicious worm capable of using the infected machine in order to infect other computers within its local network. The worm also creates a scheduled Windows task in order to ensure that the worm runs when least suspected.