Researchers spot ‘Dridex’ targeting crypto-currency wallets


The primary objective of Dridex is to steal banking information from users of infected machines to immediately launch fraudulent transactions. The software installs a keyboard listener, or logger, and performs “injection” attacks.

During 2015, theft caused by it was estimated at £20 million in the United Kingdom and $US10 million in the United States.

By 2015, Dridex attacks had been detected in more than 20 countries.

In early September 2016, researchers spotted initial support for it targeting crypto-currency wallets. The infection was done by using a malicious file while leveraging a bug in Microsoft Word, where a special code was embedded into the file.

Votiro gathered a sample of the Zero-Day and ran it through its research lab analysis. It found that the malware bypassed most security defences, including “Sandboxes” and all endpoint memory-based mitigation techniques.

As originally reported by and acknowledged by Microsoft, the bug is a “logical issue” in Microsoft Word and the Mshta.exe component. Mshta.exe is responsible for handling the Content-Type “application/hta” in Microsoft Word, parsing the content, and executing the script.  Meanwhile, Winword.exe parses the OLE instruction, and queries a remote server for external content where the server returns an “application/hta” that eventually executes mshta.exe. Mshta.exe then executes any code that is embedded in the malicious document.


The best approach is to disable Rich Text Format (RTF) files from being loaded by setting the following registry keys, as offered by @ryHanson:

Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.

Another approach to mitigate these kind of attacks is to perform a scan of document formats such as RTF. Using an Advanced Content Disarm and Reconstruction image module that supports RTF and many other document formats, the OLE objects can be carefully examined as the document is re-built from scratch, eliminating any non-standard or documented attributes, values, and OLE objects without requiring any signature or learning.

Aviv Grafi, CTO and co-founder of Votiro, used the Votiro Application Program Interface (API) ( to examine the file and uploaded the same sample to Votiro’s service. A safe version of the document was retrieved in less than a second and as expected, the faulty OLE object was removed automatically as expected.

Advanced Content Disarm and Reconstruction technology could be a solution to this growing issue and many other security holes that hackers can take advantage of.

CDR involves disarming potential exploits by dissecting files (such as RTFs) and performs thorough analysis. The system is able to then determine the implications of modifications, whether it was written to specifications, or whether it needs to be patched.

Once analysed – and vetted for proper form and safety – the file is then reconstructed and passed onto the end user, keeping all functionality intact, while disarming any malicious, suspicious or potentially harmful objects.

With Votiro’s Advanced CDR technology, the solution moves from detection to instead tracking down problems and retroactively solving them.

Advanced CDR puts the onus on files to ‘prove’ that its code is proper; without that proof, CDR will simply dismiss the file, and it won’t have the opportunity to cause mayhem – or potential mayhem, as in the case with Dridex.

While no reports have come in of hackers using the vulnerability to carry out malware attacks yet, that could just be because security firms haven’t connected all the dots yet.

It may yet come to light that malformed file such as RTFs are a major risk. But for companies that have a CDR system in place, it won’t make a difference how widespread the vulnerability is; they’re safe.