*This blog entry was originally published on January 28, 2016 on the original Polito Blog. It was re-posted on October 3, 2017 due to migrating to a new blog platform.
Taking Apart Dridex
In Part 1 of this two part series, we dove into just how simple macro malware can be. In this post, I break down Dridex, a banking malware family commonly delivered via phishing emails that has infected more than a million users. Dridex’s infection rate has significantly risen due to its use of macros to infect a target.
What Is Dridex?
Dridex is the name of a strain of malware designed to eavesdrop on its victims’ computers in order to steal personal information such as usernames and passwords, with the ultimate goal of breaking into bank accounts and siphoning out all the money. First spotted by researchers in November 2014, Dridex targets customers of banking and financial institutions, mostly based in Europe. Dridex infections focus more on targeting small to mid-size businesses versus individuals.
How Does It spread?
Dridex is being spread through phishing emails sent by attackers to their targets. The emails typically contain an infected Microsoft Office file, and attempt to trick the user into opening the attachment. Unlike other malware, Dridex does not spread on its own and instead the victim must be specifically targeted for the initial infection email by the threat actor.
How Is It Infecting Computers?
The infected Microsoft Office file is typically either a Word document or Excel document and triggers an embedded VBA macro - a small embedded program described in Part 1 - when opened. That macro triggers an payload chain that ultimately downloads the main payload of the malware, the Dridex trojan itself, which is then installed and run on the user’s computer.
Dridex does not use any security vulnerabilities to infect computers; instead, it relies on social engineering to abuse more legitimate means through which programs can be installed and run. This means that the user has to initiate the infection. The infection will not work if the infected document is never opened or if the recipient of the document declines to enable macros.
Figure 1: Typical Dridex attack vector. Photo: SANS
Dridex is commonly bundled with phishing emails sent to the targets emails. The file names of the attachments mimic a file that would be important for the target to open. Email subject lines and file names such as “Outstanding Invoices” and “Payment Request” are typically employed by Dridex to entice the target into opening the malicious document.
Figure 2: Typical Dridex infection chain. Photo: Trend Micro
Figure 3: Word automatically disables macros as a security feature. Photo: Author
A curious user might unknowingly infect themselves with Dridex by enabling macros in the malicious Word document when prompted. Additionally, attackers might blur out or obfuscate the document content until macros are enabled leaving the user with no choice other than to enable the malicious macro to see the rest of the document. If the user enables macros, the embedded, obfuscated VBA script will be executed.
Figure 4: Powershell used to view the Base64 encoded macro, which can be found in the editdata.mso file. Photo: Author
As we can see in the example above, the macro contents are stored in the Word document in base64 encoding. Some strings you can search for are: MIME-Version, Content-Location and x-mso to aid in your search. Once it is decoded the data appears as an ActiveMIME object, which is ZLIB compressed information starting from offset 0x32. It is then decompressed to a standard OLE file within the VBA macro project. Decryption of the ActiveMIME container shows that it connects to a URL formatted like this: hxxp://<ip address>/bt/bt/ppt.php, then downloads an executable file and saves it in the temporary directory using a random name. This file is then executed in a command prompt that is actually briefly visible. The file it downloads is written in C# and is signed with a valid digital certificate that was issued to: Afet[at]mail[.]ua; this file acts as a downloader for the Dridex trojan. By using this stage 1 loader to initiate subsequent downloads of configuration files and the stage 2 payload and, Dridex increases its chances of payload delivery success.
When executed, the obfuscated file deobfuscates itself, then launches a second copy of itself and finally injects the deobfuscated code into the second process. The deobfuscated code will no longer contain MSIL bytes, but x86 instructions instead. The new process that is created contains additional encrypted sections in which configuration data is stored in XML format. In the data, there is also a list of command and control (C&C) servers that the downloader will contact in order to download the rest of the Dridex payload as seen below:
Figure 5: A List of C&C servers Dridex connects to. Photo: Author
The Dridex downloader will attempt to contact each of the servers in the config file and will try to download a malicious DLL file, which is the final piece to the Dridex payload. Once dropped on the victim computer, the DLL is executed with the following command:
Rundll32 <downloaded_file> NotifierInitOnce the DLL is executed, it injects itself into the legitimate explorer.exe process, where it will monitor banking and browser activity. Dridex monitors all the most common browsers in use today on Windows: Internet Explorer, Chrome, and Firefox.
After the malware starts running in explorer.exe, it will immediately add a firewall rule with the name “Core Networking Multicast Listener Done (ICMPv4-In)”, which allows it to contact the Command and Control (C&C) servers listed in the XML configuration file. The malware then contacts the C&C servers and sends an encrypted XML file which contains its unique identifier build derived from the computer name, its version, and a public key, which is used to encrypt its communication with the C&C servers.
Figure 6: XML containing unique identifiers to Dridex malware. Photo: Author
Intercepting the communication with the server we can see different configuration files in which Dridex tries to update its list of C&C servers and also a configuration file that contains commands regarding what and how to intercept in terms of targets. It may also make requests for additional modules, as shown below.
Figure 7: An updated C&C node list Dridex makes calls too after its execution. Photo: Author
Figure 8: Configuration data where Dridex requests a specific module from the server. Photo: Author
Figure 9: A list of additional modules Dridex may use during its execution. Photo: Author
Dridex downloads its main configuration file and stores it in the registry at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\<some CLSID>\ShellFolder\<value name>An example would look something like this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{EF4CF352-2909-3DEC-C35C-A5798D45EC66}\ShellFolder\01D0D73E8320D103The Dridex configuration file contains several different sections, which include:
Commands: Any commands to be run by Dridex including killing specific processes, downloading files, etc.
List of nodes: The IP addresses of the C&C servers
Settings: Information regarding websites to monitor so that Dridex can extract data from each of the target URLs
In the settings subsection of the configuration file, we can see different types of commands Dridex will use on a target; these settings are target specific:
httpblock: Allow or deny access to web pages
formgrabber: Webpages from which submitted data in a form will be extracted
httpinjectblock: Web pages Dridex will inject code into
httpshots: Data to collect from specified websites
redirects: The web page where the user will be redirected as well as the destination address
httpinject: Web pages that Dridex will monitor in order to inject HTML / JavaScript code
clickshots: Web pages where screenshots will be taken when the user performs a ‘click’. This can enable Dridex to collect PINs and passcodes from banking websites that enable ‘virtual keyboards’ instead of typing in credentials via the keyboard.
Dridex sends all the data it collects, including stolen credentials, from the target to the C&C servers.
Signs of an Infection?
Dridex can typically be detected on a compromised machine by looking for some if its hallmark artifacts. It does not set a persistence key in the registry that would allow a security analyst to easily identify it. However, it is still possible to determine if a computer is infected by searching for the presence of other registry keys, like the one where Dridex stores its configuration data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{some clsid}\ShellFolder\<value name>Also, since Dridex runs injected code from the explorer.exe process, a user might notice an increase in the resources used by this process. The explorer.exe process has no business connecting to the internet so this is also another way to detect the infection. Looking for the rogue firewall rule mentioned earlier can be another clue to Dridex infection.
How to Stay Safe?
Have an up-to-date anti-malware product installed on your Windows computer (Dridex only infects systems that run Windows). Deploy managed Endpoint Security that integrates anti-virus, anti-malware, and anti-spam protection.
Avoid opening attachments from senders whom you do not know personally and never open email attachments from unknown sources.
Do not enable macros in an Office document, especially from untrusted / unknown sources.
Deploy an enterprise managed Mail Gateway to filter, block, and quarantine suspicious messages.
Deploy Secure Web Gateway (SWG), next-gen firewall or web proxy that combines application control with zero-day exploit detection, advanced anti-malware scanning, real-time web reputation, and flexible URL filtering to screen all inbound/outbound traffic and drop unauthorized traffic to potential Malware Distribution domains, known C&C servers, or infected URLs. Force all enterprise traffic through SWG.
For common ports such as port 80 (HTTP –Internet browsing) and 8080 (HTTP – Proxy), an application-level filtering appliance or web proxy would be able to determine the difference between legit Internet traffic used for web browsing and traffic used for peer-to-peer (P2P) networking. This is import because Dridex will uses P2P for its communication.
Block all ports and protocols that have no business need (e.g. peer-to-peer protocols such as 6881-6999 Bit Torrent, 6346-6347 Gnutella, 6257 WinMX, 4672 eMule, 411-412 Direct Connect) that could lead to P2P Crawling (e.g. peer-to-peer botnets). Block these ports for both inbound and outbound traffic.
Disable the Macros extension in Microsoft Office. (Macros are disabled by default in Microsoft Office 2007 and above, requiring users to click to "Enable Macros" for each document containing embedded VBA macros.)
Change online banking and shopping account passwords often. Where possible enable multi-factor authentication.
List of Dridex indicators of compromise (IOC) resources:
https://www.virustotal.com (You can search using the word ‘Dridex’)
While not a comprehensive list, it should give anyone enough information on what to look for if you suspect you have been infected by Dridex and/or want to hunt for Dridex IOCs on your network.
References:
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
E-mail: info@politoinc.com
Phone: 571-969-7039
Website: politoinc.com
Comments