spender-sandbox
commented
8 years ago Known issue, it's not bypassing the hook, rather the issue is that on 64-bit OSes, explorer is a 64-bit task. To perform the injection, Dridex transitions to a 64-bit code segment to call the 64-bit APIs (i.e. it's not using the 32-bit CreateRemoteThread API, just look for retf in the disassembled code). We currently don't support having two different versions of cuckoomon loaded in a given task, and supporting it without duplicating information would be significant effort. For samples like these, run them on a 32-bit OS.
-Brad
Recent Dridex sample (MD5 92b40f871e2273013f6f5211251a0051) uses CreateRemoteThread to inject code into Explorer.exe without Cuckoomon noticing. There are alerts about the process trying to suspend Cuckoomon threads, but the CreateRemoteThread call is not logged, and subsequent malicious activity from within Explorer.exe not monitored as a result.
The injection activity was logged by a Carbon Black agent on the analysis VM, however, and the subsequent 'netsh advfirewall' command executed from within Explorer.exe was a tell-tale sign of Dridex.