Future versions of the infamous and highly dangerous Dridex banking trojan will soon be able to steal credentials for several crypto-currency wallets, according to clues found in recent Dridex samples.
Dridex, also known as Bugat and Cridex, is the moniker of a banking trojan and the name of its botnet (infected devices) used to commit other types of illegal activities, such as sending spam.
The criminal group behind it, a true cyber-crime syndicate, has people working around the clock updating Dridex's source code with new features and new methods meant to help the trojan avoid getting flagged by security software. A recent Forcepoint report highlights some of the low-level code changes that have allowed Dridex to avoid malware researchers and security software in the past few months, but it also includes some clues about the trojan's future.
Dridex will ban computers it thinks belong to security researchers
Some of the most significant and extensive changes are to Dridex's configuration file, which is now transmitted from the C&C master server to its victims in an encrypted binary format, instead of a cleartext XML file.
While this has made reverse engineering and Dridex detection a real problem, the most interesting change is the fact that Dridex now comes with the ability to blacklist "suspicious" hosts. You see, Dridex doesn't flat-out infect its victims. The initial infection trojan, called the Dridex loader, collects information about each host and then sends it to the Dridex servers.
The type of information it collects includes data such as the computer's name, OS type, OS version, OS installation date, and system information like the list of installed software.
Across time, this has allowed the Dridex gang to build a database of users. Dridex's operators have realized that they could use this database to detect users who have security-related and reverse engineering software installed on their PCs.
In recent Dridex versions, the malware authors have banned certain workstations. As such, recent Dridex versions will refuse to send over the main Dridex infection modules if the local computer is found on one of its blacklists.
Forcepoint says this ban, or blacklist, is applied based on a list of installed software but enforced only based on the computer's username and OS installation date, which still allows researchers to get around it.
Dridex prepares to integrate Bitcoin wallets
This is a unique feature among banking trojans, but Dridex operators are also preparing a second unique feature. According to the same Forcepoint researchers, Dridex operators are now scanning infected systems for the names of popular crypto-currency wallets.
The trojan, which can already log credentials for online banking portals, PoS software, and professional backend banking software, is building a database of the most encountered crypto-currency wallet software, no doubt to add support for stealing Bitcoin and other digital currencies in future versions.
A list of the Bitcoin and crypto-currency wallets recent Dridex versions are scanning for can be seen below. Be advised that the trojan also scans for the names of other types of apps, but you'll quickly recognize the names of popular Bitcoin wallets such as Coinbase, Bitcore, CoinsBank, BreadWallet, and more.