Dridex module leaks system info and potentially more.

December 11, 2015

The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.

Infection Cycle:

Upon infection the Trojan sends the following systen information to a remote C&C server:

The following encrypted conversation was then observed:

The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:

2FE.tmp.mod contains the following strings:

  • Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0
  • CryptSIPDllGetSignedDataMsg
  • CryptDllExportPublicKeyInfoEx
  • CryptDllImportPublicKeyInfoEx
  • CryptDllEncodePublicKeyAndParameters
  • CryptDllConvertPublicKeyInfo
  • CertDllVerifyRevocation
  • CertDllVerifyCTLUsage
  • CertDllOpenSystemStoreProv
  • CertDllRegisterSystemStore
  • CertDllUnregisterSystemStore
  • CertDllEnumSystemStore
  • CertDllRegisterPhysicalStore
  • CertDllUnregisterPhysicalStore
  • CertDllEnumPhysicalStore
  • CryptDllExportPrivateKeyInfoEx
  • CryptDllImportPrivateKeyInfoEx
  • CertDllVerifyCertificateChainPolicy
  • CryptMsgDllExportEncryptKey
  • CryptMsgDllImportEncryptKey
  • CryptMsgDllGenContentEncryptKey
  • CryptMsgDllImportKeyTrans
  • CryptMsgDllImportKeyAgree
  • CryptMsgDllImportMailList

These strings suggest intent to inspect or manipulate certificates on the infected system.

On our infected test system the following data was encrypted an leaked to a C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dridex.AA_3 (Trojan)
  • GAV: Dridex.OOVO (Trojan)