New Tactic Used by Dridex Trojan to Bypass User Account Control

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Recently a campaign, Dridex distribution is leveraging a fresh UAC (User Account Control) bypass method, warns Flashpoint security researchers.

First, this was discovered back in 2014, Dridex is considered as the successor of the GameOver ZeuS malware, as it often uses an improved version of GameOver ZeuS ’s peer-to-peer architecture in order to protect its (C&C) command and control server. Dridex emerged as one of most dangerous banking Trojan families present, still its recent activity has subsided compared to the levels seen in 2014 and 2015.

Recently observed a small distribution campaign that is targeting the UK financial institutions which was characterized by the use of “previously-unobserved” Dridex UAC bypass which leverages recdisc.exe, which is a Windows default recovery disc executable. This malware was also observed while loading malicious code using impersonated SPP.dll, and using spoolsrv and svchost to communicate to peers and then first-layer C&C servers.

As usual, Dridex is being distributed through spam emails with attached Word documents that feature malicious macros designed to download and execute the malware. The initially dropped module was designed to download the main Dridex payload. After infection, the Trojan moves itself from the current location to the %TEMP% folder.

On the infected machine, Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll and bypass the UAC protection on Windows 7. It does so because the platform automatically elevates the program, along with other applications white-listed for auto-elevation. Dridex leverages this feature to execute two commands on the computer.

In order to bypass this UAC, Dridex created a directory in Windows\System32\6886, and then copies legitimate binary from Windows\System32\recdisc.exe to the Windows\System32\6886\. Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and then moves itself to Windows\System32\6886\SPP.dll. Then the malware deletes wu*.exe and po*.dll from Windows\System32, after doing which it executes the recdisc.exe and then loads itself as impersonated SPP.dll with admin privileges.

 

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply