Win32/Drixed

Installation

Threats in this family can be installed by macro malware downloader families such as Donoff, Adnel, and Bartallex. These malware families spread using malicious macros in Microsoft Office files that are attached to spam emails.

When the malicious macro runs, a variant of Drixed is downloaded and run from %TEMP% using a random file name, for example %TEMP%\444.exe.

This file is deleted by the malware after it runs.

The malware also looks for the MpsSvc service in the registry and stops it.

It adds itself to the firewall exception list by modifying the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
With Value: "<random ID>"
With Data: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=c:\windows\system32\explorer.exe|Name=Core Networking - Multicast Listener Done (ICMPv4-In)"

Payload

Steals your online banking credentials

The malware can steal your online banking user names and passwords. It targets mostly European banks by using various techniques tailored to the bank's security measures. 

It monitors the following web browsers:

• Google Chrome
  
• Internet Explorer
• Mozilla Firefox
• Opera Browser

Depending on the website visited, the malware can inject its own HTML code into the website in an attempt to steal your credentials.

Collects your sensitive information

This threat collects information about your PC and sends it to its command and control (C&C) server, including your:

• PC name
• User name
• Operating system version
• Operating system architecture
• Install date
• Installed software

We have seen it connect to the following remote hosts:

• 41.0.<removed>.178
• 92.63.<removed>.92
• 109.72.<removed>.140
• 178.32.<removed>.22

Depending on the answer the malware receives it can then download its backdoor component.

Gives a malicious hacker access to your PC

This malware can give a malicious hacker access and control of your PC. It does this by downloading a backdoor component that injects its code into the clean process explorer.exe.

It can then be used to steal further system information as well as download other components or malware.  

Stops your security product from running

Variants in this family can stop your security product from working. They check for the following security-related process and stops them:

Analysis by Alden Pornasdoro