Bypass User Account Control

New Tactic Used by Dridex Trojan to Bypass User Account Control



Recently a campaign, Dridex distribution is leveraging a fresh UAC (User Account Control) bypass method, warns Flashpoint security researchers.
First, this was discovered back in 2014, Dridex is considered as the successor of the GameOver ZeuS malware, as it often uses an improved version of GameOver ZeuS ’s peer-to-peer architecture in order to protect its (C&C) command and control server. Dridex emerged as one of most dangerous banking Trojan families present, still its recent activity has subsided compared to the levels seen in 2014 and 2015.
Recently observed a small distribution campaign that is targeting the UK financial institutions which was characterized by the use of “previously-unobserved” Dridex UAC bypass which leveragesrecdisc.exe, which is a Windows default recovery disc executable. This malware was also observed while loading malicious code using impersonated SPP.dll, and usingspoolsrv and svchost to communicate to peers and then first-layer C&C servers.

As usual, Dridex is being distributed through spam emails with attached Word documents that feature malicious macros designed to download and execute the malware. The initially dropped module was designed to download the main Dridex payload. After infection, the Trojan moves itself from the current location to the %TEMP% folder.
On the infected machine, Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll and bypass the UAC protection on Windows 7. It does so because the platform automatically elevates the program, along with other applications white-listed for auto-elevation. Dridex leverages this feature to execute two commands on the computer.

In order to bypass this UAC, Dridex created a directory inWindows\System32\6886, and then copies legitimate binary fromWindows\System32\recdisc.exe to the Windows\System32\6886\. Next, it copies itself to%APPDATA%\Local\Temp as a tmp file, and then moves itself toWindows\System32\6886\SPP.dll. Then the malware deletes wu*.exeand po*.dll fromWindows\System32, after doing which it executes the recdisc.exe and then loads itself as impersonated SPP.dll with admin privileges.

Comments

Post a Comment

Popular posts from this blog

बेंक अकाउंट हैक करके ठगाई का एक नया तरीका !

Image
जरूर पढ़ें और सावधान रहे* कल शाम को एक काल आयी, कोई लड़की थी। बोली," सर, मैं जॉब के लिए रजिस्ट्रेशन कर रही थी। गलती से आपका नम्बर डाल दिया है, क्योकि मेरे और आपके मोबाइल नंबर में काफी समानता है। आपके पास थोड़ी देर में एक ओटीपी आएगी, प्लीज बता दो सर, ज़िन्दगी का सवाल है।" बात बिल्कुल जेनुइन लग रही थी, मैनें इनबॉक्स चेक किया, दो मैसेज आये थे। एक पर ओटीपी था, दूसरा एक मोबाइल से आया मैसेज। लिखा था, dear सर, आपके पास जो ओटीपी आयी है, प्लीज इस नंबर पर भेज दीजिये..........Thanks in advance. मैसेज देख ही रहा था कि फोन दोबारा आया .... मैनें ओके क्लिक किया। वही सुमधुर आवाज। बस नंबर दूसरा था। " सर, आपने देखा होगा अब तक ओटीपी आ गयी होगी। या तो बता दो या फारवर्ड कर दो उस नंबर पर..." प्लीज... "बता दूंगा, पर आप पहले एक काम करो.." "हा सर.. बोलिये.." "जो नंबर आपनें डाला है रेजिस्ट्रेसन में, वो मेरा नम्बर है और उसी से मिलता जुलता नम्बर आपके पास भी है, तभी आपसे ये गलती हुई , है न?" "हां सर.." "ओके, उसी नम्बर से मुझे आप कॉल करो, ताकि मैं वेरी
Read more

UIDAI lets you lock your Aadhaar biometrics

Image
Watch: UIDAI lets you lock your Aadhaar biometrics   Mumbai:   Amid questions being raised regarding the security of the Aadhaar database, UIDAI has come up with a way to lock our biometrics against misuse. As Aadhaar is increasingly linked to various day to day services like payments, welfare schemes, income tax services, etc, it is important that we safeguard our biometrics that are used for authentication purposes. UIDAI, the nodal agency handling Aadhaar recently posted on Twitter, a way to lock one's biometrics like finger print and iris data.  This is how you can lock your biometrics: 1. Log on to https://resident.uidai.gov.in/web/resident/home 2. Select the Lock/unlock Biometrics option under the tab called Aadhaar Services on the right. 3.  You will be re-directed to the Lock/unlock Biometrics page. Enter your 12-digit Aadhaar number and the security code in the specified fields under the Lock your Biometrics section below. 4.  A One
Read more

Online game of death

Image
Online game of death: Blue Whale takes life on the 50th day The online bloody game named Blue Whale is now appearing in India also.  that more than 200 youths in the world have died, this game has killed a teenage girl in India too.  This game is a deadly game of the Internet that the player has to give his/her  life on the 50th day. Questions is that.  How does this game take children into their grip  and then how does it force them to commit suicide? 1. I  will tell you the detail about this.  2. I will also tell you what the  symptoms of children in the game may look like 3.  how to save them from death. But before this,            I tell  you  how this  deadly  game 'Blue Whale' came? Latest event    Manpreet, 14, committed suicide by jumping from the 7th floor to complete the game's challenge.  Police have filed an FIR on the basis of complaints of the residents and have gathered in the investigation of the case.  In its initial
Read more