SOURCE: Invincea


October 26, 2015 09:00 ET

Dridex Returns With a Vengeance, Targeting French Users and Employing Comodo Signed Certificates

Resurgence of Costly Banking Trojan Driven by Weaponized Microsoft Word Documents Posing as Receipts and Performing "Just-In-Time" Malware Assembly

FAIRFAX, VA--(Marketwired - October 26, 2015) - Invincea, the leader in advanced endpoint threat protection, is notifying businesses and individuals that a major international cyber-crime operation previously believed to be shut down by law enforcement is once again actively operating and targeting French users. Invincea is releasing this advisory because the French campaign may portend the resurgence of a broader campaign that will likely target users in the US and other countries, as Dridex has done previously.

Dridex is a widespread banking Trojan that rose to prominence after the Zeus takedown. The Dridex botnet is estimated to have caused more than $30 million in bank fraud losses in the UK and more than $10 million in the US, according to authorities.

Following the arrests last summer of key Eastern European cyber-crime figures in connection with Dridex, the FBI in cooperation with the UK National Crime Agency announced in mid-October that it took down core command and control infrastructure used by Dridex. This takedown, along with the arrests of key individuals, presumably crippled the ability of Dridex to send stolen information to the criminal elements running Dridex campaigns. However, as Avira reported, at least some Dridex command and control infrastructure was still operating following the FBI announcement.

Since October 22, Invincea has observed 60 instances of cyber-thieves targeting French users with the Dridex banking Trojan, indicating Dridex is alive and well, and at least some of its command and control infrastructure has been restored. Furthermore, Invincea observed that the Dridex malware dropped through these attacks were signed with Comodo digital certificates, which means security technologies that trust signed executables will fail to stop these attacks.

This renewed Dridex campaign targets users with weaponized Microsoft Office documents posing as receipts from popular retail stores and hotels (see Dridex weaponized documents image).

The observed weaponized documents have similar names. "Facture" means "bill" in French, and is typically followed by the name of a shop or hotel, and then a hexadecimal code. Each weaponized document uses Just-in-Time (JIT) malware assembly techniques to build malware directly on the endpoint, while evading network monitoring and sandboxing defenses. Dridex is particularly pernicious because of its use of Microsoft Word macros and encryption techniques to thwart advanced static analysis technologies, in addition to the JIT malware assembly tactics to evade network defenses. The combination of these methods that evade network and endpoint security solutions gives it particularly high infection rates: SecurityScorecard reports it was the most prolific banking Trojan afflicting the corporate sector during the first six months of 2015 (1). More details on Dridex's capabilities are available in the Avira and Trend Micro blog posts.

In the attack chain log file image, the assembled executable was named PIDARAS.exe, which is part of the Dridex malware family. The attacks noted here were all detected and stopped by Dell Data Protection | Protected Workspace, a secure virtual container technology built by Invincea that ships on all Dell commercial PCs, and which employs behavioral threat detection and containerization to detect and stop unknown threats.

Detailed logs

The attack chain log file image shows that a weaponized document called "facture_laurent bailliard-375BC188 (002).doc" was opened from the email application Outlook, indicating the user received a phishing email. Next, VBScript and Visual Basic macros were used to assemble the malware "PIDARAS.exe" onto the endpoint, after which cmd.exe was invoked to run PIDARAS.exe. Once running, the malware communicated with Japan-based hosts on, a free Linux hosting service, using the command and control port of 473.

During this latest campaign, only four anti-virus companies were aware of the PIDARAS.exe variant of Dridex, meaning that the vast majority of users relying on anti-virus were unprotected against this advanced threat. As with all signature-based approaches, the number of AV products recognizing the malware increases over time, while cyber-criminals continue to create new variants to stay ahead of such solutions.

Furthermore, this malware was code signed by Comodo, a security company that provides digital certificates for software and websites. Enterprises that whitelist signed executables would have been particularly vulnerable to this attack.

Dell Protected Workspace and Invincea users are protected against this threat, which is detected and stopped through Invincea's container-based document protection. Invincea's technology identifies weaponized documents through its behavioral monitoring engine, without requiring signatures. As a result, any future threat that relies on Office macros / scripting, known applications performing maliciously (such as cmd.exe), or just-in-time malware assembly will be stopped as well.

Today's Threatscape Dominated by Weaponized Documents

According to Invincea research, weaponized documents have overwhelmingly been the top threat facing enterprises during the last two months. Invincea stops hundreds of previously unseen weaponized document attacks per day across its customer base. Furthermore, these attacks are employing techniques that evade network defenses. The predominant tactic observed by Invincea in evading enterprise defenses is the use of JIT malware assembly, where binaries are created directly on endpoints by using native Windows scripting utilities. This method bypasses most network security controls, including network monitoring, perimeter file interception, and network sandboxes.

(1) SecurityScorecard, 2015 Banking Malware Research Report

Follow Invincea:
Invincea Blog:

Twitter: @Invincea

About Invincea, Inc.
Invincea is the leader in advanced endpoint threat protection for enterprises worldwide. The company provides the most comprehensive solution to contain, identify, and control the advanced attacks that evade legacy security controls. Invincea protects enterprises against targeted threats including spear-phishing and Web drive-by attacks that exploit Java, Flash, and other applications. Combining the visibility and control of an endpoint solution with the intelligence of cloud analysis, Invincea provides the only market-deployed solution that defends against 0-day exploits, file-less malware, and previously unknown malware. The company is venture capital-backed and based in Fairfax, VA. For more information, visit

Image Available:
Image Available:

Contact Information