Zero days – The return of Dridex

The Dridex banking Trojan, once one of the most active and prolific malware strains, went quiet back in the summer of 2016. The large-scale spam operations distributing it dried up and the few samples that still appeared showed no significant changes. This appears to have represented a period where the attackers were retooling as Dridex has returned with fury and a spam campaign spearheaded by malicious Word documents exploiting a zero day vulnerability in Microsoft Office.

The attack exploits a vulnerability in Windows Object Linking and Embedding (OLE) that allows documents to contain different types of data and link with other applications. OLE has been popular with attackers and has given rise to several notorious exploits such as “sandworm” which were actively used in the wild.

As with all zero day threats, this has the capacity to inflict significant damage as even the most robust patch management relies on a patch being available to fix the issue With a zero day there is a threat being actively used in the wild and often organisations who rely on reactive defence alone are left exposed.

There are several variants of the malicious document, some are blank documents, while others contain information to encourage the user to disable protected mode in Office which prevents the attack from launching.

Once the document is opened it will connect to a web server under the control of the attacker and download several files. The most notable being the Dridex payload, we have observed several variants of this payload using multiple names including %TEMP%\7500.exe and %TEMP%\redchip2.exe.

This payload is launched from the users Temp directory alongside a dummy decoy document also downloaded from the attacker's server. The original document that contained the zero day is closed in an effort to cover its tracks and leave only an uninfected decoy visible.

As Microsoft and AV vendors scramble to issue patches and updates to try and block this attack it is important to consider what proactive measures can be taken against this kind of zero day attack. In the short term the usual best practice applies, patch where possible, educate users and ensure that the protected mode feature in Office is enabled across all endpoints.

Avecto’s Defendpoint offers several layers of proactive defence against these kinds of threats, layers that aren’t reliant on detection or updates. In the case of this latest Dridex campaign Defendpoint offers content isolation for email attachments, this ensures that malicious email attachments are isolated from the user’s data so any attack is contained.

Layering on privilege management and application control Defendpoint goes beyond containment to reduce the attack surface further and prevent malware payloads from executing or gaining access to the system via admin rights. As all the layers work in harmony, it is trivial to prevent a malicious email attachment from launching malware or abusing built in Windows tools whilst allowing the user the freedom to access these same tools legitimately.

The video below provides a quick overview of the Dridex zero day vulnerability and how Defendpoint can help contain its threat.