Despite its reduction in volume, Dridex malware is still actively being developed and Forcepoint researchers have spotted a number of changes and improvements including a feature that targets crypto wallets and others which make it harder to detect and protect against.
Researchers said the malware's operators have built up profiles of commercial sandboxes and researcher VMs to essentially blacklist the machines to prevent researchers from obtaining the core module and list of peers and to make it more difficult for automated analysis systems to find and block the appropriate IP addresses, according to a Sept 5 blog post.
The trojan also contains additional coding which allows its operators to quickly and effectively profile a victim's system for software which could be targeted for financial gain.
To make outside analysis more difficult, Dridex developers have also changed parts of the malware's XML structure to more complicated binary structures. Despite the new features, researchers said it is still very much possible to reconstruct the Dridex settings configuration file received by the core module, the post said.
Dridex is indeed a popular banking trojan and its main infection method is and still consists of phishing emails with malicious attachments, VASCO Data Security Senior Manager of Market and Security Strategy Frederik Mennes told SCMagazine.com via email comments.
“Even though Dridex is designed to evade detection, security companies are continuously updating their software to counter viruses such as Dridex,” Mennes said.
To avoid infection, Mennes recommended the use of anti-virus software, two-factor authentication, anti-malware tools and up to date software.