Malware
The Dridex variant we analyzed targets MacOS platforms with a brand new approach to ship paperwork embedded with malicious macros to customers.
Learn time: ( phrases)
Usually, paperwork containing malicious macros enter a consumer’s system by way of e mail attachments posing as regular doc information. Nevertheless, whereas this is perhaps the first methodology of arrival, malicious actors produce other methods of getting into a sufferer’s system.
This weblog entry primarily issues Dridex, an internet banking malware that has been energetic for years. The variant we analyzed has made its approach into the MacOS platform and has adopted a brand new approach to ship paperwork embedded with malicious macros to customers with out having to faux to be invoices or different business-related information.
The Dridex pattern we investigated arrived as a Mach-o executable file: a.out (which we detected as Trojan.MacOS.DRIDEX.MANP). The primary submission for this in Virus Whole (VT) dates to 2019, the place it was tagged as malicious by safety distributors with no particular detection names.
The info phase of the pattern comprises the malicious embedded doc and is utilized by the _payload_doc variable. The disassembly in Determine 4 reveals that the malware performs a loop the place the content material of _payload_doc is copied till the counter reaches _payload_doc_len, the scale of the malicious code. That is in preparation for the overwriting routine.
As soon as the malicious code is prepared, the cstring phase performs a job in overwriting the code to the goal information. This phase comprises the next bash script command:
for i in $(discover ~ -name “*.doc”); do echo ‘%s’ | xxd -r -p > $i; carried out
First, the malware searches for information within the present consumer (~/Person/{consumer identify}) listing that use the .doc file extension utilizing the discover ~ -name “*.doc” command. It then traverses by means of every doc file (i) utilizing for loop, after which writes the malicious code by way of the echo ‘%s’ command (the place %s is the malicious code from the information phase).
Including xxd -r -p to the script signifies that the malicious code shall be written in plain hexadecimal dump, and never the precise content material. The > $i a part of the script implies that the output shall be printed on every doc file.
The disassembly in Determine 6 reveals the worth of %s that shall be written on the doc information. The malicious code it overwrites has a D0CF file format signature as seen the picture, which means that it’s a Microsoft doc file.
The malicious embedded doc was first detected within the wild in 2015 with the next info:
SHA256: 70c7bf63bfe1fb83420905db6e65946d721e171db219034a52b27116795ae53e
Filename: pmB3A6.doc
Detection identify: W2KM_DRIDEX.SPB
Utilizing oletools, a python bundle used to investigate OLE and Microsoft information, we noticed that the affected .doc information now include macros.
Primarily based on the extracted macros, the .doc file comprises suspicious parts. To elaborate, listed below are the VBA parts of the overwritten paperwork:
ThisDocument is an object that features the autoopen macro which calls the malicious capabilities. These capabilities use normal-looking names to pose as common capabilities. For example, CreatePicture and CreateColor are usually used to create image-related objects, however on this VBA undertaking, they carry out malicious duties.
Module1 Creates an executable file within the momentary (TEMP) folder after which runs it. The malware makes use of string concatenation as a technique for obfuscating the identify of the executable file it creates.
Module2 comprises the routine that decrypts a set of strings, which is a URL, after which connects to it to retrieve a file utilizing the GET command. The malware makes use of fundamental string encryption to cover the malicious URL it connects to. It calls the RuBik() operate to carry out the decryption routine.
Module3 writes the content material of the file retrieved in Module2 to the executable file created in Module1.
On this part, we’ll analyze the payload dropped by the malware. Be aware that since it’s an exe file, it won’t run in a MacOS setting. It’s doable that the variant we analyzed remains to be within the testing phases and has not but been totally transformed to work in MacOS-based machines.
When the doc is opened and the macro is enabled, the malware connects to the URL decrypted in Module2 to retrieve a file (87i4g3d2d2.exe) utilizing the GET command:
hxxp://pr-clanky[.]kvalitne[.]cz/65y3fd23d/87i4g3d2d2[.]exe
Whereas the macro characteristic in Microsoft Phrase is disabled by default, the malware will overwrite all of the doc information for the present consumer, together with the clear information. This makes it harder for the consumer to find out whether or not the file is malicious because it doesn’t come from an exterior supply.
After connecting to the area, the content material of the transportable executable (PE) file is written to trume1.exe (aa6873a6002e152669f54c80801ca7d500ee8c00d5a6a8c223203303b1cbaf50) as analyzed in Module1, 2, and three. The file trume1.exe will then be executed.
The content material of the dropped executable file is in an HTML format as an alternative of a PE file format because the URL that it’s attempting to entry is already down. The PE file that it tries to obtain is the Dridex loader.
Conclusion
Dridex just isn’t a brand new malware — it has been noticed within the wild for years now. Regardless of its age, it continues for use, and in reality has even seen many enhancements over time. Its entry level into the consumer’s system has historically been by means of e mail attachments, however this weblog entry illustrates that the malicious actors utilizing Dridex are additionally looking for new targets and extra environment friendly strategies of entry.
At the moment, the impression on MacOS customers for this Dridex variant is minimized because the payload is an exe file (and due to this fact not appropriate with MacOS environments). Nevertheless, it nonetheless overwrites doc information which are actually the carriers of Dridex’s malicious macros. Moreover, it’s doable that the menace actors behind this variant will implement additional modifications that may make it appropriate with MacOS.
We encourage customers to keep away from being contaminated by assaults that use social engineering and malicious paperwork by refraining from clicking hyperlinks or opening attachments and embedded paperwork in emails. Moreover, organizations can think about using safety applied sciences resembling Development Micro™ Fear-Free™ Enterprise Safety, which helps Mac and is good for small and medium-sized firms, and Development Micro™ Apex One™, which is a robust safety resolution for enterprise companies.
Indicators of Compromise
The symptoms of compromise for this entry might be discovered on this doc.
MITRE Instruments, Ways, and Procedures
|
Tactic |
ID |
Title |
Description |
|
Discovery |
T1083 |
File and Listing Discovery |
Makes use of the discover command to seek for particular information inside the file system and runs echo command to overwrite information |
|
Execution |
T1204.002 |
Person Execution: Malicious File |
Requires the sufferer to run the malware .out file. |
|
Execution |
T1027 |
Obfuscated Information or Data |
Parts of information are encoded to cover the plain-text strings |
|
Execution |
T1059.005 |
Command and Scripting Interpreter: Visible Fundamental |
Makes use of macros to execute payloads |
|
Command and Management |
T1071.001 |
Software Layer Protocol: Internet Protocols |
Makes use of HTTP GET requests to contact the command-and-control (C&C) server |
|
Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
Sends knowledge to C&C server |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
