Dridex module leaks system info and potentially more. (Dec 11th, 2015)
The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.
Infection Cycle:
Upon infection the Trojan sends the following systen information to a remote C&C server:
The following encrypted conversation was then observed:
The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:
2FE.tmp.mod contains the following strings:
Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0
CryptSIPDllGetSignedDataMsg
CryptDllExportPublicKeyInfoEx
CryptDllImportPublicKeyInfoEx
CryptDllEncodePublicKeyAndParameters
CryptDllConvertPublicKeyInfo
CertDllVerifyRevocation
CertDllVerifyCTLUsage
CertDllOpenSystemStoreProv
CertDllRegisterSystemStore
CertDllUnregisterSystemStore
CertDllEnumSystemStore
CertDllRegisterPhysicalStore
CertDllUnregisterPhysicalStore
CertDllEnumPhysicalStore
CryptDllExportPrivateKeyInfoEx
CryptDllImportPrivateKeyInfoEx
CertDllVerifyCertificateChainPolicy
CryptMsgDllExportEncryptKey
CryptMsgDllImportEncryptKey
CryptMsgDllGenContentEncryptKey
CryptMsgDllImportKeyTrans
CryptMsgDllImportKeyAgree
CryptMsgDllImportMailList
These strings suggest intent to inspect or manipulate certificates on the infected system.
On our infected test system the following data was encrypted an leaked to a C&C server:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Dridex.AA_3 (Trojan)
- GAV: Dridex.OOVO (Trojan)