Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


sample technology analysis and protection scheme of dridex online banking trojan

Posted by bax at 2020-04-15

Reading: 2035

IBM X-Force security team recently found an upgraded version of the dridex bank Trojan horse, known as the dridex v4. Dridex is one of the most popular bank Trojans, which was first discovered in 2014. It was considered as the successor of Goz because it used the technology related to gameover Zeus (Goz) malware at that time. An important improvement of the new version of dridex V4 is that it uses atom binding technology to inject malicious code to avoid the killing of anti-virus software.

Atom binding technology is proposed by ensilo company. It takes advantage of the design defect of atom table in Windows operating system, and can write malicious code into it, retrieve and execute it later.

Sample overview

The sample is a 64 bit DLL file, which uses atom binding technology to inject code into explorer.exe to complete traffic hijacking. Set the registry key value to complete self startup, and create the scheduled task to execute every 1 hour.

Sample analysis

Analysis environment

TAC test results

file structure

Version information

major function

3. Add firewall rules by creating and running CMD file to allow explorer.exe to listen on port, and then listen on local port 443.

4. Hijack the data flow of port 443 and send it to the remote server.

The execution flow is as follows:

Each function of the sample is briefly introduced as follows (including code snippet and explanation):

1、 Get target thread

Decrypt itself to construct a new DLL file:

Read the process snapshot and find the Explorer process:

Get the import table data to be injected:

The functions in the import table include:

In order to find a warning thread, the sample opens all threads of explorer.exe (the current process thread is 0x26) for testing:

Create an event:

Request to execute zwsetevent through ntqueueapcthread API in other threads:

Then call WaitForMultipleObjects to select the first thread to set the signal:

2、 Write the import table of injection code to the target

Add a string to the global atomic table and verify that it was added successfully:

Through the ntqueueapcthread API, the target thread calls globalgetatomw, which retrieves data and places it in the RW memory space of the target thread ntdll module (write one, delete one):

Determine whether the data is written successfully by reading the data written to the target thread and comparing it with the local original data:

Set a block of memory in the target thread as RWE attribute, and write the decrypted assembly code in the same way as writing the import table multiple times:

When finished, change the memory property to re:

In the same way, change the first 7 bytes of globalgetatomnamea in the target thread to skip to the shellcode instruction:

Modified globalgetatomnamea function:

Through ntqueueapcthread API, the target thread calls globalgetatom. Since the first 7 bytes of the function are changed, shellcode will be executed:

Shellcode section:

Restore changes at globalgetatom:

Map the data from the original sample into memory and copy it to the newly applied local memory space:

Modify the memory area properties of the copied data to read and execute:

Create a thread to execute the copied code, set the event after completion, and then return to execute the original thread.

This thread will get IAT:

After the sample memory is mapped and copied to its own memory, it is transferred to execution (with parameters, which are the address of the previously copied data):

Check whether the parameters are valid:

Create a thread if the parameter is valid:

Modified the keyset file and created a new key pair. This part of the operation is to hijack HTTPS communication later:

New generation key pair:

Read the EXE file in the C: \ windows \ system32 Directory:

Select the target file to forge from its import table, read it into memory and view the import table and other contents:

A new PE file is created (the file is forged by the sample according to the export table of the normal DLL file, which is used to realize DLL hijacking). It is saved in the temporary folder:

Some *. CMD files are created to add rules to the firewall, allowing explorer.exe to listen to the local port:

Put the newly created temporary file into the new folder and name it appwiz.cpl (appwiz.cpl selects the forged target file for the sample, which is related to the application calling it, pretends to be a malicious sample of the appwiz.cpl file, and executes the same content after obtaining the execution right as the decrypted sample file), and optionalfeatures.exe (calls the normal application of appwiz.cpl) Put it in the folder (optionalfeatures.exe is the target application program, the appwiz.cpl file will be called at runtime, and the malicious sample will hijack it), and set the normal application file as the startup key through the registry.

C: There are two similar folders in the \ windows \ system32 directory. Only one of the applications is set to start when the machine is started, and the other is executed by creating a scheduled task, which is executed every other hour to realize memory persistence:

Set the *. CMD file path created to the registry key HKCU \ software \ classes \ mscfile \ shell \ open \ command (default):

Create the process eventvwr.exe to execute each CMD file. Due to the previous modification of the registry related key, the process will run the program under HKCU \ software \ classes \ mscfile \ shell \ open \ command, and then recover the registry key related to this, and execute a clear one:

After the above operations, the sample begins to perform the functions of the network part.

Network behavior

The network function of this sample is to hijack 443 port traffic.

Listen to the local port 443, and select infinite loops. If it succeeds, accept and then create a thread:

After simulating the connection, the sample creates a new thread:

Try to receive data:

After receiving the data, call the connect function: (the IP address of the connection is invalid

After simulating the connection, the discovery program sends the data received by port 443 to the newly connected server, and then starts to repeat the receiving and sending actions:

Starting mode

Create a boot entry similar to this: the application is a normal program, and there will be a DLL file required by the application when it is running in the same directory. Hijack it when the application is running to complete the self boot:

Killing soft confrontation

The samples are executed by dynamic link library hijacking, and shellcode is injected by atom binding technology. After injection, the original program environment is restored to run malicious code in the way of creating threads, which does not affect the normal execution of the host program. Dynamic API acquisition increases the difficulty of detection and analysis. In the registry, the startup is completed by setting the normal program as the startup key and then hijacking the required DLL, which will not be detected. Use eventvwr.exe and modify the registry to execute the *. CMD file.

Protection plan

User self test

(1) There are two C: \ windows \ system32 \ 0485 [random] directories, under which there is an EXE file and the DLL or CPL file it needs to run.

(2) The HKCU \ software \ Microsoft \ windows \ CurrentVersion \ run registry key contains the startup key of the EXE program in the detection method (1).

(3) Looking at the list of scheduled tasks, you will find the scheduled tasks created by the sample named exe program name in the test method (1).

(4) The explorer.exe program listens on port 443.

(5) Check whether the file C: \ users \ username \ appdata \ roaming \ Microsoft \ crypto \ RSA \ s-1-5 - * * is modified

(6) Check the firewall rules. If you infect the Trojan horse, you will find a rule named "core networking – multicast listener done (icmpv4 in)" and the program name is "C: \ windows \ explorer. Exe".

2. Green Alliance Technology Trojan kill solution

Sheng Ming

This safety notice is only used to describe the possible safety problems. Lvmeng technology does not provide any guarantee or commitment for this safety notice. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided by this safety announcement shall be borne by the user himself, and Lvmeng technology and the safety announcement author shall not bear any responsibility for this. Lvmeng technology has the right to modify and interpret the safety announcement. If you want to reprint or disseminate the safety notice, you must ensure the integrity of the safety notice, including the copyright notice and other contents. Without the permission of Lvmeng technology, it is not allowed to modify or increase or decrease the contents of this safety announcement, and it is not allowed to be used for commercial purposes in any way.

About Green Alliance Technology

Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. (referred to as Lvmeng Technology) was founded in April 2000, with its headquarters in Beijing. More than 30 branches are set up at home and abroad to provide core competitive security products and solutions for government, operators, finance, energy, Internet, education, medical and other industry users, so as to help customers realize the safe and smooth operation of business.

Based on years of security research, Lvmeng technology provides customers with intrusion detection / protection, anti denial of service attack, remote security assessment, web security protection and other products and professional security services in the fields of network and terminal security, Internet basic security, compliance and security management.

Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. has been listed and traded on the growth enterprise market of Shenzhen Stock Exchange since January 29, 2014. The stock abbreviation: Lvmeng technology, stock code: 300369.

If you need to know more, you can join QQ group: 570982169 direct inquiry: 010-68438880