Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150821-265-VB Dridex
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 21 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report discusses Dridex, a banking Trojan descendant of the Cridex
malware. Dridex is a windows executable which uploads system info to a C&C server and then
downloads a DLL which acts as a Remote Access Tool (RAT) and banking Trojan. This tool
does not appear to contain any worthwhile techniques besides the User Access Control bypass
method which has since been patched by Microsoft.
(S//NF) Dridex is usually delivered as a Word Document with macros. This initial module
downloads the main module when executed. Dridex XOR’s and encrypts the C&C server URL
using the aPlib algorithm. Dridex utilizes http, https, and ftp over their default ports for
communication. The communications sent are encrypted.
(S//NF) Dridex uses a different method for User Access Control (UAC) bypass. Where as many
pieces of malware use PlugX to achieve this bypass, Dridex uses application compatibility
databases. This is a file that configures execution rules for applications that have compatibility
issues in Windows. This is achieved by creating and installing a new application compatibility
database file. Dridex then launches the iscsicli command, a command line tool for the iSCSI
initiator. The newly installed application compatibility database file executes a batch file which
then causes Dridex to execute with administrative privileges. Microsoft has released a patch for
this vulnerability causing a warning message to pop up should this method be applied.
(S//NF) In conclusion, this Banking Trojan does not demonstrate any new or notable techniques
besides the UAC bypass which has since been patched by Microsoft. As such no PoC is
recommended.
2.0 (U) Description of the Technique
(S//NF) No techniques are recommended for PoC development.
3.0 (U) Identification of Affected Applications
(U) Windows
4.0 (U) Related Techniques
(S//NF) Trojan, UAC Bypass
5.0 (U) Configurable Parameters
(U) None