Dridex Distributed with “Merry Christmas!” Excel File

The ASEC analysis team has discovered Excel files with Dridex downloader being distributed during the Christmas season. The team has continuously been uploading posts in the ASEC blog about the distribution of Dridex with the Excel file macro (see links below).

Dridex is a banking malware that collects a user’s banking credentials and performs malicious behaviors by receiving commands from the attacker. It is usually distributed through spam emails and performs malicious behaviors after downloading the main module through a loader.

The recently discovered distribution method of Dridex has the following flow and characteristics:

  • Phishing emails indiscriminately distributed to random users
  • Documents are protected with passwords to bypass anti-malware’s detection, password is written in the email
  • Message “Merry X-MAS!” or “Merry Christmas!” pops up when document macro is enabled
  • Creates and runs VBS scripts using the Excel Cell Formula method
  • Downloads and runs Dridex

The content of phishing emails varies from ‘Christmas bonus for all workers’ to ‘Termination of employment.’

Figure 1. Dridex downloader Excel file distributed through phishing emails

The downloaded Excel file has information about ‘Christmas Bonus’, and has hidden sheets that use the Cell Formula method mainly used for Excel macro malware.

The attached file for the ‘Termination of employment’ email has the name ‘TerminationList.xls’ but has details about ‘Christmas bonus.’ As such, it appears that the emails are distributed randomly without any coherency.

Figure 2. Opening attached Excel file

Figure 3. Auto_Open macro (Macro1: hidden sheet)

Through the Name Manager tool of the Excel file, it can be assumed that Auto_Open macro will have its code operating based on the values from the hidden ‘Macro1’ and ‘Sheet1’ sheets. Column V of the ‘Macro1’ sheet has a macro code written with Cell Formula (see Figure 4). ‘Sheet1’ has the data saved in decimal, which is changed to text form and then combined. The following shows a formula for using rows 163 to 4975 of column BH in ‘Sheet1’ to combine malicious data.

=FOR.CELL("" & "" & "" & "" & CHAR(111) & "" & "" & "wj" & "" & "" & "" & CHAR(72) & "" & "" & "" & "KXZ" & "mV",Sheet1!BH163:BH4975, TRUE)
Figure 4. Decimal data listed in hidden ‘Sheet1’

Figure 5. Cell Formula macro code found in hidden Marco1 sheet

=ALERT("" & "" & "Mer" & "ry" & "" & "" & "" & "" & "" & "" & "" & " C" & "" & "hri" & "st" & "" & CHAR(109) & "" & "" & "as" & "" & CHAR(33))
Figure 6. Message that pops up by ALERT formula

The ALERT formula existing in a certain shell pops up the message ‘Merry Christmas!’, and a VBS file is created in the subpath of C:\ProgramData\. Figure 7 shows the values for some formulas. There is also the wscript.exe keyword that is used for executing the VBS file. The inside of the VBS code in Figures 8 and 9 has the process for running malicious files locally through a normal Windows utility named WMIC and an URL that can download Dridex, written and applied with a fairly simple obfuscation.

Figure 7. ‘Formulas’ and ‘values’ found from Name Manager

Figure 8. VBS file created in subpath of C:\ProgramData

Figure 9. Dridex download URL found in VBS file

As the URL found from the file was disconnected, the team could not download the malware. However, the dll file obtained from another URL with a valid connection that has a similar form was found to be Dridex.

As phishing emails are being indiscriminately distributed, users should refrain from opening attached files from emails even when they are sent from a trusted sender. Also, users should always keep their anti-malware software updated to the latest version.

AhnLab’s anti-malware product, V3, detects and blocks the malware introduced in the post using the aliases below.

[File Detection]

  • Downloader/XLS.Generic
  • Trojan/Win.Dridex

[IOC Info]

  • 7acf260802f3a3706e9fa7b7cfd04442 (XLS)
  • 6c4f9a92b1d3371a08dba5ab6e411dbc (XLS)
  • 0787dd3e8b45aca3966cc9c05bd4cd48 (XLS)
  • f6c1c00a86bc0fb6624b3c30c40d0e27 (Dridex)
  • hxxps://cdn.discordapp[.]com/attachments/922230029876871191/922476091036282900/hADmBTOIOvchristmasnigga.bin
  • hxxps://cdn.discordapp[.]com/attachments/922230029876871191/922475884680720415/jsYdUxKchristmasnigga.bin
  • hxxps://cdn.discordapp[.]com/attachments/922230029876871191/922474883370348564/PkoNSuchristmasnigga.bin

[Previous ASEC posts about Dridex distributed through Excel]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments