The Watch Commander’s Log is a series that provides a direct view into the threats Agio’s Managed Detection and Response (MDR) team handles for our clients. If you have questions about anything you read here, please feel free to reach out to us at firstname.lastname@example.org. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.
In late 2019, the U.S. Justice Department was applauded for arresting the alleged masterminds behind the creators of Dridex, a malware prevalently used in successful phishing attacks like the email below with the catchy subject line “COVID-19 Everything you need to know.”
The arrested hackers called themselves Evil Corp. They had a profit margin over $100 million, and despite last year’s arrests, they are again rising to the surface as a challenging and sophisticated threat.
Dridex malware originated in 2015 and is continuously re-emerging with derivative versions and behaviors, making it particularly difficult to track. Most recently, it’s been seen in emails claiming to share information about the COVID-19 pandemic. To ensure that businesses are taking defensive actions to be as prepared and informed as possible, I’ll share my analysis of some of the inner workings of a Dridex sample recently found in the wild on July 08, 2020.
I opened the file inside a closed (no network) virtual machine using Ghidra, the open-source reverse engineering tool created by the National Security Agency (NSA) and OllyDbg, the x86 debugger for Windows.
Malware: Dridex 32-bit (x86)
The Dridex sample appeared to be a legitimate Open Database Connectivity (ODBC) driver associated with Microsoft Visual FoxPro. According to Microsoft, this driver can be used to do the following:
- Use Microsoft Query to query and update Visual FoxPro data from Microsoft Excel worksheets
- Create mail-merge letters using Visual FoxPro data with Microsoft Word
- Query and update Visual FoxPro views and tables from Microsoft Access
- Use Visual FoxPro as the data store for Microsoft Visual Basic, Microsoft Visual C++, and C applications
The flexibility of the malware to disguise as a driver for FoxPro is an obvious tactic to avoid detection by security tools.
The second stage in the analysis was to pivot on the Entry Point of the file:
Continuing from the Entry Point is a list of imports used by the malware to accomplish command and control of the victim machine. Ghidra shows this nicely via the Symbol Tree:
Note that the API calls from Kernel32.DLL, specifically EraseTape. This API call confirms that this sample can become a ransomware infection through its tactic of deleting backups before the malware can even be detonated (i.e., data encryption). It also must be noted that the infection stage is an indication of sophisticated malware.
The Importance of Backups
If businesses want to meet this ransomware challenge, they must invest in a backup solution. They must also coordinate with security professionals to ensure the backup has not previously been compromised and that the appropriate security protocols are in place surrounding access to institutional data (i.e., trade secrets).
It is also worth noting the importance of Crypt32.DLL, which was recently issued a patch in January 2020 for the vulnerability CVE-2020-0601. Exploiting the vulnerability allowed attackers “to sign a malicious executable, making it appear the file was trusted (and) legitimate…” Administrators and owners of sensitive data are encouraged to check their systems for this vulnerability and provide the appropriate level of patching as soon as possible.
Ransomware will continue to seek out and attempt to destroy assets and information by taking advantage of weaknesses in backup file implementations and unpatched vulnerabilities. However, by continuing best practices for sensitive data, security hygiene, and engaging security professionals as a trusted resource, the odds of succumbing to ransomware will be extremely low.
Based on our responses to client encounters with ransomware, a defense-in-depth approach can provide the necessary resilience and reduce the likelihood of your organization becoming a victim.
- Phishing Protection: Initial access is typically executed by phishing. All organizations should have an anti-phishing solution to provide an early indicator of danger (Agio’s Inky does this well) combined with regular cybersecurity awareness training like that offered by Agio’s SEC Cybersecurity Governance program.
- Execution: Should the payload or link to a bad site make it past the perimeter, a tested endpoint solution like Agio’s EDR (powered by Cylance) blocks the execution of suspicious file types and quarantines them as seen with Dridex malware and variants.
- Detection & Response: Should your EDR prove ineffective, your ability to detect activity such as file monitoring events, DLL injection, PowerShell scripts, etc. can provide the opportunity to stop forward movement.
It’s important to ensure systems are set by default to prevent the execution of macros. Inform and educate employees on the appearance of phishing messages. Conduct regular backups of data, ensuring backups are protected from a potential ransomware attack. Have an IR plan and know whom to call if you have an incident.
If you have questions about anything you read here, please feel free to reach out to us at email@example.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.