Dridex module leaks system info and potentially more.
The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.
Upon infection the Trojan sends the following systen information to a remote C&C server:
The following encrypted conversation was then observed:
The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:
2FE.tmp.mod contains the following strings:
Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0
These strings suggest intent to inspect or manipulate certificates on the infected system.
On our infected test system the following data was encrypted an leaked to a C&C server:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Dridex.AA_3 (Trojan)
- GAV: Dridex.OOVO (Trojan)