Malware authors use various means to make their malware look like legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently security researchers discovered that the “Dridex” malware authors are using this technique. Dridex is a banking Trojan which typically arrives to a system via malicious spam email with a Microsoft Office file as an attachment. These files will have embedded macros that lead to the download and installation of the Dridex Trojan. Dridex then attempts to steal the victim's banking credentials and system information. As per security experts, the use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street