Dridex malware which has been hitting news in the last decade for different reasons is back in the news again. Dridex is also known as Bugat and Cridex.
Checkpoint Research in a recent report highlighted that Dridex has maintained it’s position on the top of malware list in the month of April, 2021 with a global impact to 15% of the organizations. Dridex first reached this position in March 2020. Agent Tesla and Trickbot follow the suit with 12% and 8% share of malware impact globally.
In this post, we will summarise the key information around the three malware which cumulatively are responsible for more than a third attacks last month
Dridex Origin and Capabilities
Dridex malware attacks Windows systems. Security community has observed Dridex at least from 2012. Once pushed into the victim’s system, It starts going after the list of installed applications, app versions and the OS version of the affected machine. The main goal of this Trojan till the last year was usually to steal banking credentials.
However it can also download and execute arbitrary modules on command once the backchannel is in place. This makes it hot among Ransomware Services. Dridex serves as a foundation in organisation-wide ransomware attacks.
Dridex Delivery Mechanism
The most common delivery mechanism is using Emails attachments and using social engineering in tricking the user’s to open the attachment. However some of the variant can also be delivered as exploit downloads. In December last year, it was also observed by researchers to be used in ads related to Amazon gift card offers.
Agent Tesla Origin and Capabilities
Agent Tesla is actually a popular “Malware-As-A-Service” RAT (Remote Access Trojan) which is used for stealing keystrokes, clipboard data, credentials from web browsers (Chrome, Firefox) and email clients including outlook, taking screenshots and more. We have seen continuous development and multiple variants of Agent since it’s inception in 2014. Agent Tesla can steal information via HTTP, FTP , or SMTP.
It is written in .NET and supports all versions of the Windows operating system.
Agent Tesla Delivery Mechanism
The malware is typically delivered as a malicious office document that arrives as an e-mail attachment. The document uses social engineering to trick the user into running the embedded macro. The macro will download and install the malware executable. In the last few months, threat actors have been using COVID-themed messages, often masquerading as information or updates from the WHO (World Health Organization) to spread Agent Tesla.
Trickbot Origin and Capabilities
If you remember the banking trojan Zeus from good old 2005, Trickbot can be called a prodigy of it. Mostly it’s tracked back to 2015 to the malware named Dyre. Trickbot was first observed in 2016 seemingly from Dyre’s code and retained it’s key capabilities of credentials harvesting and web injection infrastructure. TrickBot is now very well be assumed as a malware enterprise with numerous plugin modules, sophisticated system reconnaissance , cryptomining and persistence capabilities.
Trickbot is widely used by Ransomware families to detect and harvest data before Ransomware attacks.
Trickbot Delivery Mechanism
Trickbot can be delivered through multiple stages with a wide set of tools. It can be delivered of course as part of malicious spam campaigns, but we have seen more creative ways like Windows Script Component (WSC) that contains XML-format scripts to leverage the delivery of a malware payload.
The Check Point Research report can be referred here