Dridex, a malware variant that orginated in 2012 as a banking trojan, is back with a vengeance, with HP’s threat research team tracking a 239% increase in Dridex samples in Q4 2020 on the previous quarter. They say the first two weeks of 2021 has already seen more Dridex samples emerge than in Q3 alone. (Since 2017, Dridex’s operators have increasingly shifted their tactics to delivering ransomware.)
Dridex is evasive malware that also steals banking credentials, with a robust command and control infrastructure. It is thought to be predominantly used by prolific cybercrime group Evil Corp. Among recent Dridex phishing campaigns was one featuring fake Amazon gift cards, which after luring recipients into downloading malicious documents, directed them to Amazon’s legitimate page.
Dridex malware URL blocker
The HP threat research team today released a script (downloadable from the HP Threat Research GitHub) to help organisations to investigate systems that have been infected by Dridex malware and proactively block URLs to stop systems from becoming infected, after collecting 2,082 malicious URLs from 56 Dridex-infected documents. (The script’s output can block all potential Dridex payload URLs instead of just one that a typical sandbox would extract through dynamic analysis. It’s not going to cover your arse forever, but everything helps).
HP malware analyst and blog author, Patrick Schläpfer, who conducted the analysis, explained: “Dridex’s distributors commonly propagate the malware using malicious Office documents (maldocs) that download the Trojan from a remote web server.
“Interestingly, since mid-2020 some of the maldocs started containing hundreds of URLs from which to download the malware. This technique makes the loader more resilient to takedown action by hosting providers and domain registrars.”
Alex Holland, a senior malware analyst at HP, added: “Dridex’s Excel maldocs are particularly challenging to detect because its authors rotate through at least six encoding types to hide the web servers hosting the malware.
“In some cases, the maldocs download Dridex from one of hundreds of servers… Network defences that rely on domain reputation struggle to protect against attacks like this as many sites hosting Dridex are legitimate but compromised.”
He added: “In 2020, we saw an increasing number of loaders shift from VBA to Excel 4 macros as their preferred execution technique because many security tools struggled to analyse this older technology.”
As the team explained in a blog today, the first type of loader uses Excel 4 macros to generate PowerShell code or call Windows API functions to download the malware. The second use VBA macros, downloading the payload via a range of methods, including an encoded shell command that calls PowerShell to download the payload.
A third uses encoded data in an Excel worksheet. As the HP malware research team explains: “When run, the VBA code loads the data from the worksheet and decodes it using one of many routines. The decoded data is a list of hundreds of URLs, from which one is randomly chosen to download Dridex. The sheer quantity of payload URLs is unusual for a loader, so we decided to analyze this download mechanism in more detail.”
According to the company’s telemetry, Dridex is currently the second most widely circulating crimeware family, behind Emotet.
Get the free script here.