Dridex module leaks system info and potentially more.

The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.

Infection Cycle:

Upon infection the Trojan sends the following systen information to a remote C&C server:

The following encrypted conversation was then observed:

The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:

2FE.tmp.mod contains the following strings:

• Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0

• CryptSIPDllGetSignedDataMsg
• CryptDllExportPublicKeyInfoEx
• CryptDllImportPublicKeyInfoEx
• CryptDllEncodePublicKeyAndParameters
• CryptDllConvertPublicKeyInfo
• CertDllVerifyRevocation
• CertDllVerifyCTLUsage
• CertDllOpenSystemStoreProv
• CertDllRegisterSystemStore
• CertDllUnregisterSystemStore
• CertDllEnumSystemStore
• CertDllRegisterPhysicalStore
• CertDllUnregisterPhysicalStore
• CertDllEnumPhysicalStore
• CryptDllExportPrivateKeyInfoEx
• CryptDllImportPrivateKeyInfoEx
• CertDllVerifyCertificateChainPolicy
• CryptMsgDllExportEncryptKey
• CryptMsgDllImportEncryptKey
• CryptMsgDllGenContentEncryptKey
• CryptMsgDllImportKeyTrans
• CryptMsgDllImportKeyAgree
• CryptMsgDllImportMailList

These strings suggest intent to inspect or manipulate certificates on the infected system.

On our infected test system the following data was encrypted an leaked to a C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Dridex.AA_3 (Trojan)
• GAV: Dridex.OOVO (Trojan)