dridex

Analysis of distribution method of Dridex malicious code

Dridex (or Cridex, Bugat) is a representative malicious code that leaks financial information. It is widely distributed globally by cybercrime organizations, and mainly uses macros of Microsoft Office Word or Excel document files included in spam mails. The biggest feature of Dridex malware is that it operates by modularizing files according to functions such as downloaders, loaders, and botnets. For this reason, the history of distributing ransomware such as and BitPaymer using Dridex malware was also confirmed. It has also been confirmed that the attack group that creates and distributes Dridex malicious code and the attack group that distributes ransomware overlap substantially by looking at the code or distribution method. 

Spam mail

The collected e-mails were written in English and appear to be targeted at overseas recipients. Titles and contents are’Freight Statement Of Outstanding As Of 03_29_2021′,’Ocean Freight overdue invoice Of 03_29_2021′, and so on. It is similar to the subject of spam mail distributed in Korea. The e-mail has an Excel file attached.

dridex

Excel file

dridex
dridex

Blurry images are inserted in the Excel document to induce user clicks. The inserted image is connected to the VBA macro code, so when clicked, the macro code function’VIEW_DOCUMNET’ is executed. It is difficult to execute normally in the automatic analysis sandbox because the macro code is executed only when there is a click action in a specific area, not a macro such as Auto_Open that is automatically executed.

Also, there is a hidden sheet in the Excel document. The two hidden sheets are XLM macro sheets. The attacker used both VBA and XLM macro code. This is a method of operating by referring to XLM macro code in VBA code. This makes it difficult to grasp the function by looking at only the VBA code or XLM macro sheet code, and it makes it difficult to detect based on the specific area code.

dridex

The attacker made it impossible to check the VBA code by putting a password on the VBA Project. VBA code can be extracted using a such as oletools , but it is difficult to understand its function only by looking at the obfuscated code as shown below. It is highly likely that the attacker used VBA Project Locker such as Evilclippy .

dridex
dridex

If you debug the VBA macro code, you refer to the cell of the XLM macro sheet and use it as data. The data is used in the code generation process for accessing the external URL, which is the final function of the Excel document file. A total of 57 URLs are created, and several times of deobfuscation is required in this process. Below is a list of URLs to which Excel files are accessed. (Prohibit access and download)

After creating the URL list, try downloading by accessing a random address. Even if some addresses are blocked, the attack success rate can be increased because there are multiple addresses that can be accessed. The downloaded file is a DLL executable file (Portable Executable), but it does not use the .dll file extension, but uses the compressed file extensions such as .rar, .tar, and .zip. This also seems to be in order not to be blocked from suspicious behavior of downloading executable files. The downloaded file is saved as a fixed DLL file name. This DLL file is the Dridex loader malware.

clip_image007

If the download is successful, execute the obfuscated CALL function as above. This is a command to execute the downloaded Dridex DLL file using the Regsvr32.exe process. If this process has been executed, Dridex malware is loaded into the Regsvr32.exe process and runs in the system.

Dridex DLL

dridex

Dridex DLL files operate through a very complex code generation and unpacking process. The core loader file PE is newly constructed in memory by repeating memory allocation and deallocation, code injection, and execution authorization. The core loader file itself hasn’t changed much of the code. The function to connect to the next C&C server is the key. In this process, user information such as system information is transmitted.

We examined the distribution process of Dridex malicious code from spam mail to Dridex DLL loader. In an automated sandbox environment, it is difficult to connect from spam mail to DLL file execution. Excel files and DLL files have limitations in responding with signatures because their appearance changes quickly. AhnLab’s products detect spam mail distribution to Dridex DLL files as follows.

IOCs

https[:]//210.65.244.176/
https[:]//37.34.58.210[:]6601/
https[:]//210.65.244.176/


https[:]//tencoconsulting.com/klcpk3.rar
https[:]//abad.tv/gmrgbkv.rar
https[:]//nedkellymyanmar.com/l76db8k.rar
https[:]//myloanexpert.in/exxuia66v.tar
https[:]//aps-scribe.com/ptdgv53.rar
https[:]//sivmedia.dk/z18n7do.rar
https[:]//14karatvisions.com/rh1trnt.rar
https[:]//plataformas.datasiswebcontable.com/ek2lqm2.zip
https[:]//reseller.itechbrasil.com/xwpr9m9.tar
https[:]//estudiodedanzaesperanzadelosreyes.com/pi4omy.rar
https[:]//sadmahfuneralservices.co.za/jke1xnf7b.rar
https[:]//engagedmarketingmedia.com/mt42qiyn.rar
https[:]//disinfection-cleaning.co.za/sc25xty.zip
https[:]//cacaoprojects.com/asse9e3x.rar
https[:]//blog.difusodesign.com/vzsfnw3rk.rar
https[:]//v2consultores.com/gaiqb3.zip
https[:]//sabihasart.com/ltxd9207y.zip
https[:]//cpanel.shivay.net/ak5kpl1.zip
https[:]//kaptaanchapal.com/hrloamk3.zip
https[:]//www.estatebroker.in/cc5qg9x.tar
https[:]//thediasporianexperience.com/vh3r0pn.tar
https[:]//bioskey.com/w9jii4e1h.rar
https[:]//mediawaysnews.com/idn75myb.rar
https[:]//community.reimclub.com/ezmumkw.rar
https[:]//nxtnet.ga/oszxyd.tar
https[:]//aps-sv.com/lse6o3.rar
https[:]//masterthedaybook.com/hp8v4p3.rar
https[:]//goldenasiacapital.com/pqyxgi.rar
https[:]//ist-security.com/nz3wx4.rar
https[:]//addictionmusic.in/lloaynxsp.tar
https[:]//hchfug.org/oikz5qpn.tar
https[:]//gifsnow.fun/jta343i.rar
https[:]//preescolarmamagansa.edu.mx/uo0j4ls.rar
https[:]//patriotsupremehemp.com/j1jgt4g.rar
https[:]//dev.tunepushr.com/s6c1tl.zip
https[:]//canadianwork.cc/ugeepbmvc.zip
https[:]//cuetzalanlaesencia.com/ehvmx3.tar
https[:]//kienology.com/cepzd8r.zip
https[:]//elbauldenora.com/yknyy9.tar
https[:]//sexologistpakistan.net/e2xlnbik.rar
https[:]//cardilicores.com/ak9zjb.zip
https[:]//www.bizztradingbot.nl/w1em533ne.tar
https[:]//connectcapital.com.br/sum9e8.zip
https[:]//www.pkbacademy.ro/hlinx9.tar
https[:]//movix.net.br/stwv7a9u.rar
https[:]//business2.softberg.ro/knyiq6pg.tar
https[:]//rajeshtailang.com/qksnefw1t.tar
https[:]//anadelgbt.org/n5gi2o1l9.tar
https[:]//www.neslininsayfasi.site/clbqztx8.tar
https[:]//erp.nanotechproautocare.com/umxzvfog.rar
https[:]//www.mitsuiaccounting.com/nsyii02fi.rar
https[:]//drpayalphysiotherapy.in/iuqc13o2.zip
https[:]//spiritualroot.org/yqcsymrnj.rar
https[:]//robthetoolman.com.au/tni7p1y.zip
https[:]//hospedagem.pro/nnkwzi2he.zip
https[:]//rajib.pw/twd3dkz41.tar
https[:]//citihits.lk/iccdupr.rar


0801368e0e80ba88daad52d7e5977d22
3479d48fef3fa742d91e84705ff4f882
6bd0ae7a5d92e2d47c1cb6cbdc7d47c6

e8e2c197939ca869e7c6d120b27f1dcd35e20342
e9690178e10048937417194a9dfb88c7bb22aef4
5c6c0c5a94f60a71467c535e094d8a9e62e677115cf35b50683fe6bf5d716c29
56cd0bb2fb78736e872dbb88fd9cdd78435b13e15c9b0be2b6ca709df36e93b1