“after credentials stealing in order to bypass security products within the bank. these products aim to identify the user using the browser ’ s unique fingerprint. f5 ’ s research team is watching dridex the constant race between security vendors and cybercriminals pushes criminal…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.005VNC
77%
“follow “ loadlibrary ”, making it much harder to analyze. figure 5 : explorer. exe – the original explorer code, worker _ x32. dll – the main dridex module, vnc _ x32. dll – the vnc module figure 5 : explorer. exe – the original explorer code, worker _ x32. dll – the main dridex …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.005VNC
52%
“. - the infected machine initiates the remote session. this is a unique way of using the protocol since usually the viewee acts as server. - if a local vnc address was received, the dridex module will listen to incoming vnc connection from the attacker. after establishing a tcp c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070Indicator Removal
45%
“the infected explorer. exe to start the vnc. from this point, the infected explorer process takes over the activation process. explorer ’ s role the malicious code in explorer runs in an endless loop in a dedicated thread that is responsible for the vnc connection, and waits for …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1112Modify Registry
34%
“expects to receive encrypted data. this encrypted data contains information that the malware uses later on : - vnc ip and port — the remote address to connect to when launching the vnc session - socks ip and port — the remote address to connect to when launching the socks session…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1185Browser Session Hijacking
33%
“has been triggered inside the dridex configuration was described in an earlier f5 labs article ( / content / f5 - labs / en / labs / articles / threat - intelligence / dridex - update - moving - to - us - financials - with - vnc - 22433. html ). ) vnc activation flow the flow inv…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
And we're watching Dridex. Here's the latest in this malware's evolution.