A couple of days ago, we received a spam email sample which was reported to contain a malicious attachment. The email content poses as a remittance advice for a specific BACS payment. BACS also known as Banker’s Automated Clearing Services, is a scheme used for electronic processing of financial transactions within the UK. This suggests that victims of this spam campaign would be concentrated in this country.
Figure 1. Email Snapshot
The attachment, BAC_296422H.xls, is an Excel document found to contain a malicious macro set to run automatically upon opening if macros have been enabled in Microsoft Office. CYREN detects this malicious document as X97M/DownldExe.A.
Once executed, the macro attempts to download and execute a WinPE file named “test.exe” from xx.xxx.xxx.xxx:8080/stat/lld.php. CYREN detects this downloaded executable as W32/DridLd.A.
W32/DridLd.A is a downloader component of the Dridex malware, dubbed as the successor to the Cridex family of banking Trojans, which steals online banking information via HTML injections.
The downloader component poses as a Windows component, which makes it more suspicious once you see it’s internal and original filename are of DLL type while its file type is Win32 EXE.
Table 1. W32/DridLd.A File Meta Information
Inspecting it further through a debugger reveals a compressed executable, encrypted and stored in the .data section.
Figure 2. Encrypted and compressed downloader binary
Figure 3. Downloader unpack Routine
The unpacked executable’s .sdata section contains the encrypted and compressed server config, which lists the servers where the main Dridex component would be downloaded from.
Figure 4. Decoded downloader server config
Before performing a POST to one of these listed servers, the malware collects the following system information:
- Windows Version
- Computer Name
- User Name
- Installation Date
- Application names and versions enumerated from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
The malware then builds a data buffer in XML format as shown below
<loader><get_module unique="v1" botnet="v2" system="v3" name="bot" bit="v4"/><soft><![CDATA[v5]]></soft></loader>
v1 = %ComputerName%_%MD5 of the checksum of UserName and InstallDate%
v2 = %Numeric Botnet ID% (125 in this case)
v3 = %Checksum(MajorVersion|MinorVersion|ServicePackMinor|ServicePackMinor|SuiteMask)%
v4 = %List of applications enumerated from Uninstall key delimited by “;”%
The malware now sends a POST request to a server listed in its server config, using the encrypted XML data containing the stolen information. The encryption uses simple XOR operation using “x” as the key.
Figure 5. POST Request
It would receive a reply from the contacted botnet server with an encrypted XML data, which could be decrypted using the same XOR operation.
Figure 6. Bot server response
The decrypted response includes the main DLL component of the Dridex malware, which is then saved into the current directory where the downloader was executed as XX.tmp where XX are varying characters (15.tmp in this case).
The main component, which CYREN detects as W32/Dridex.A, poses as a Microsoft library named MFC110CHS.DLL as shown below:
Table 2. W32/Dridex.A File Meta Information
Just like the downloader component, W32/Dridex.A’s main component is packed using the same compression method. Once unpacked the .sdata section also contains compressed data, this time a public key as shown below.
Figure 7. Decoded public key
The main component is loaded by calling rundll32.exe with the following syntax:
rundll32.exe %path to Dridex DLL% NotifierInit
Calling the main component’s exported function NotifierInit injects a copy of itself into explorer.exe before deleting its own file to further avoid detection from security scanners.
Once running in explorer.exe’s context it starts to perform its malicious behaviors by monitoring the following browser activities:
- Internet Explorer
It has the capability to perform the following spyware behaviors:
- Grab screenshots
- Log keystrokes
Figure 8. Dridex Infection Chain Overview
In summary the whole infection chain of Dridex relies on social engineering, which could be prevented by observing best practices in dealing with emails and documents.
Users can prevent macro-based malware from doing harm to your systems by making sure that macro security settings are enabled, IT administrators may also implement group policies to enforce these settings.
Figure 9. Microsoft Office Excel Security Alert for Macros