MALWARE IN BACS REMITTANCE EMAILS

BACS REMITTANCE EMAILS CONTAINS DRIDEX MALWARE

Users download and execute Malware into their systems through a number of ways. However, attachments are one of the most common ways. Users are easily tricked into clicking and downloading attachments. Furthermore, we use email for many transactions including online banking and as a result, emails make us vulnerable to criminal and fraudulent activity.

Dridex belongs to the banking Trojan type of malware that specializes in stealing bank account information. It is also known as the Bugat or Cridex.

This malware primarily targets Windows users. Dridex is disguised as an email attachment in Excel or Word file. As a result, it prompts the activation of macro which in turn downloads the Dridex malware opening the user to theft.

The primary goal of Dridex is to steal banking details. It steals details such as account names, numbers, and passwords. Additionally, it allows attackers to perform fraudulent transactions by illegally stealing identities. The software carries out injection attacks and installs a keyboard listener to the infected unit.

This malware stole an estimated £20 million in the UK. Similarly, it stole $10 million in the US  in 2015. Since then, Dridex has infiltrated more than 20 countries. In Septemeber 2016, experts said that the banking Trojan would target crypto-currency wallets such as Bitcoin and other forms.

You may be in danger of opening malware if you receive an email containing remittance advice for BACS. BACS refers to Banker’s Automated Clearing Services and it electronically processes financial transactions in the United Kingdom. Most victims come from the United Kingdom.

malware

The email comes with an Excel attachment named BAC_296422H.xls. This runs automatically once opened. However, that is usually the case when macros are enabled in Microsoft Office. The malicious document is detected as X97M/DownldExe.A.

The macro downloads and executes a WinPE file that is named “test.exe” coming from xx.xxx.xxx.xxx:8080/stat.lld.php. The downloaded executable is usually W32/DridLd.A.

W32/DridLd.A is a component downloader of the Dridex malware. It belongs to the Cridex family. W32/DridLd.A is arguably the heir of banking Trojans. W32/DridLd.A steals banking account information through HTML injections.

The W32/DridLd.A Masks as a Windows component thus making it a suspicious component. Upon closer inspection, one sees that the original and internal filename is a DLL type. The file type is specified as an in32 EXE.

malware

A debugger reveals a compressed executable. It is stored and encrypted in the .data section. Unpacking the executable further opens to a compressed server config.

malware

malware

The unpacked .data section contains a list of the servers. The malware component, Dridex, is downloadable there.

malware

Dridex collects some information before performing a POST to any of the listed servers. This system information includes the Computer name, Username, Windows version, Installation date, Application version, and finally the names. These applications are enumerated from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Next, the malware builds a data buffer in XML:

<loader><get_module unique=”v1″ botnet=”v2″ system=”v3″ name=”bot” bit=”v4″/><soft><![CDATA[v5]]></soft></loader>

 

Where

v1 = %ComputerName%_%MD5 of the checksum of UserName and InstallDate%

v2 = %Numeric Botnet ID% (125 in this case)

v3 = %Checksum(MajorVersion|MinorVersion|ServicePackMinor|ServicePackMinor|SuiteMask)%

v4 = %List of applications enumerated from Uninstall key delimited by “;”%

 

The malware sends a POST request to a server in the server config. This is done using the stolen data contained in an encrypted XML data. Encryption simply uses an X0R operation with “x” as key.

malware

The contacted BotNet server then sends a reply to the request. This response is in the form of an encrypted XML data. One can decrypt the response using the exact X0R operation.

malware
The response is the decoded information including the main DLL component of the malware Dridex. It is then saved in the directory where the downloader XX.tmp was executed. The XX can have varying characters, as in the example 15.tmp. W32/Dridex.A poses as one Microsoft Library with filename MFC110CHS.DLL.

malware

The W32/Dridex.A downloader component is packed through the same compression technique. The unpacked .sdata section contains compressed data as well. However, the data is compressed with a public key this time.

malwaremalware

Rundll32.exe loads the main component. One can call it using the following syntax calls:

Rundll32.exe%path to Dridex DLL%NotifierInit

 

NotifierInit injects another copy of itself to explorer.exe. This happens after calling the main component with its exported function. Later, it deletes its file to avoid further detection from security scans

From there, the malware can perform malicious activities while injecting itself to the explorer.exe. It can monitor browser activities. Such browsers include Chrome, Firefox and Internet Explorer.

The malware then performs spyware functions. It grabs screenshots of the infected user’s desktop. Similarly, it also acts as a keylogger that saves account information.

malware

Dealing with emails and documents entails being vigilant to suspicious attachments. Particularly, the Dridex malware attachment seems inconspicuous. However, it is very harmful once opened as its chain of infection is based on social engineering. Observant handling of such emails, therefore, prevents this malware.

Delete any email that you find suspicious or hostile and if possible, do not open the email. Emails originating from legitimate organizations should also be verified.

To prevent this malware, an antimalware solution with email coverage is essential. The software screens your emails. That way, one doesn’t have to worry about accidentally opening suspicious emails.

Contact your bank forthwith once infected with Dridex. Change your banking information and update your passwords as soon as possible. Apply this for any account you have input on the infected system.

One can prevent this malware by always enabling Macro settings in Microsoft. The possibility of it harming the system is significantly less when security is in place. This is because Dridex is a macro-based malware. I.T admins can also enforce group policies that push these settings.

Banking theft is a serious crime. Therefore, we always need to be on top of security when it comes to malware. Emails need heavy guarding as they are personal. Security breaches easily happen when people care less about their online activity.

 

Source: https://blog.cyren.com/articles/fake-bacs-remittance-emails-delivers-dridex-malware.html

Besides, click here to view my other article on DoD 8570.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

This post was written by Joseph McCray

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.