Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Zero days – The return of Dridex

October 20, 2017

  • Blog
  • Archive

The Dridex banking Trojan, once one of the most active and prolific malware strains, went quiet back in the summer of 2016. The large-scale spam operations distributing it dried up and the few samples that still appeared showed no significant changes. This appears to have represented a period where the attackers were retooling as Dridex has returned with fury and a spam campaign spearheaded by malicious Word documents exploiting a zero day vulnerability in Microsoft Office.

The attack exploits a vulnerability in Windows Object Linking and Embedding (OLE) that allows documents to contain different types of data and link with other applications. OLE has been popular with attackers and has given rise to several notorious exploits such as “sandworm” which were actively used in the wild.

As with all zero day threats, this has the capacity to inflict significant damage as even the most robust patch management relies on a patch being available to fix the issue With a zero day there is a threat being actively used in the wild and often organisations who rely on reactive defence alone are left exposed.

There are several variants of the malicious document, some are blank documents, while others contain information to encourage the user to disable protected mode in Office which prevents the attack from launching.

blog pic 1

Once the document is opened it will connect to a web server under the control of the attacker and download several files. The most notable being the Dridex payload, we have observed several variants of this payload using multiple names including %TEMP%\7500.exe and %TEMP%\redchip2.exe.

This payload is launched from the users Temp directory alongside a dummy decoy document also downloaded from the attacker's server. The original document that contained the zero day is closed in an effort to cover its tracks and leave only an uninfected decoy visible.

As Microsoft and AV vendors scramble to issue patches and updates to try and block this attack it is important to consider what proactive measures can be taken against this kind of zero day attack. In the short term the usual best practice applies, patch where possible, educate users and ensure that the protected mode feature in Office is enabled across all endpoints.

Avecto’s Defendpoint offers several layers of proactive defence against these kinds of threats, layers that aren’t reliant on detection or updates. In the case of this latest Dridex campaign Defendpoint offers content isolation for email attachments, this ensures that malicious email attachments are isolated from the user’s data so any attack is contained.

Layering on privilege management and application control Defendpoint goes beyond containment to reduce the attack surface further and prevent malware payloads from executing or gaining access to the system via admin rights. As all the layers work in harmony, it is trivial to prevent a malicious email attachment from launching malware or abusing built in Windows tools whilst allowing the user the freedom to access these same tools legitimately.

The video below provides a quick overview of the Dridex zero day vulnerability and how Defendpoint can help contain its threat.



James Maude

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.