New Dridex malware strain avoids antivirus software detection

silversurfer · Jun 28, 2019

A new variant of the Dridex banking Trojan has been shaken up with the ability to avoid detection by traditional antivirus products.

The latest strain of the malware was first detected by cybersecurity researcher Brad Duncan earlier this month. According to Duncan, the new Trojan variant makes use of an Application Whitelisting technique in order to block elements of the Windows Script Host.

By exploiting what can be considered weak execution protection and policies in the Windows WMI command-line (WMIC) utility, the malware is able to employ XLS scripts to bypass mitigation efforts.

Dridex has also ramped up its library infrastructure. The security researcher says the Dridex DLL files are 64-bit DLLs -- with associated SHA256 hashes -- which use file names that are loaded by legitimate Windows executables. However, the file names and hashes are refreshed and changed every time a victim logs into an infected Windows host.

Cybersecurity firm eSentire said on Thursday that the core functionality of Dridex has received an additional upgrade and provided additional details relating to the new strain.