Evolution of Dridex

In this blog we discuss the evolution of Dridex malware from the perspective of its delivery methods, the frequency of new spam waves using the malware, and its impact on organizations.

The authors of Dridex malware are active and their spam campaigns are some of the most dynamic we’ve recently observed. The method used to deliver the malware through spam emails frequently changes and each new spam campaign uses a new method of delivering malware to the victim.

Early Delivery Methods of Banking Trojans

The main delivery method has been spam emails with either embedded malicious links or a malicious attachment which trick a victim into running the malicious binary.

A brief overview of the timeline from June 2014 until January 2015 for a popular Banking Trojan, Dyre, was provided by Emerging Threats on their blog.

Below are observations of the most common delivery methods used in 2014 and early 2015.

1.     Malicious binaries were hosted on legitimate file sharing sites like cubby.com, copy.com and the download links were sent in spam emails.

2.     Microsoft Word or Excel files were sent in spam emails as attachments. These files had malicious obfuscated macros that directly download the payload from a compromised or an attacker-hosted website.

3.     Malicious links to websites are sent in emails, which reference an external JJEncoded JavaScript. This JavaScript triggers the download of a binary from the browser and the end user is prompted to download the malicious binary.

Most of the changes in the malware delivery methods in 2014 were related to attackers updating the obfuscation techniques used in the macros or hosting the malicious binary on a server equipped with SSL certificate. However, there were few things common across that time period:

1.     The second stage binary was downloaded directly and there were not multiple stages involved. This made it easy to detect them.

2.     File formats used in the spam emails were well-known Microsoft Word or Excel files.

Now, let us look at some of the techniques used in distributing Dridex malware in spam campaigns which make them more difficult to detect than common malware delivery methods discussed above.

Macro-based Trojan Downloaders

Microsoft Office files are the most commonly used file formats in spam campaigns these days. These files have embedded malicious macros in them, which fetch a second stage payload from a compromised server or from an attacker-hosted server.

The obfuscation method used in the macros has been frequently updated. This could be seen as an attempt to evade static signature-based detection.

Multistage Downloader

As we discussed above, in 2014 we saw macro based Trojan Downloaders, which directly fetch the executable in the first network callback. We noticed a Dridex variant, which instead of directly fetching the executable in the network callback, requests a Base64 encoded text file. This Base64 text file decodes to a container of VBScript and Batch. The following steps detail the process.

1.     A malicious macro requests a Base64 encoded text file from a server in the first HTTP GET request as shown in Figure 1.

Figure 1: GET request for Base64 text file

2.     It sends another HTTP GET request to fetch a URL of a malicious executable to download as shown in Figure 2.

Figure 2: GET request to fetch Malicious Binary Download URL

3.     The Base64 encoded text retrieved in Step 1 decodes to a container of snippets of Batch and VBScript. It contains several markers like text10, text20 and so on as shown below. These markers are used to construct the Batch file and VBScript from the decoded text shown in Figure 3.

Figure 3: Code Section from Macro which parses Base64 response

4.     Once the Batch file and VBScript have been created, the macro executes them to fetch the malicious executable from the URL obtained in Step 2.

Base64 encoded text is retrieved from commonly accessed websites like pastebin.com and the malicious binary is hosted on dropbox.com. This gives an advantage to the attacker since the sites used to host the malicious content are commonly used websites so this network traffic cannot be easily distinguished from benign traffic.

File Format Variants

Dridex spam campaigns have recently used different variants of known file formats to deliver the malicious files in spam campaigns. In this section, we discuss variants we recently observed in the wild.

Legacy Word ML Document  - March 2015

In the March 2015 spam campaign, they used the legacy XML based file format of Word.

These files have a file header that looks like the one below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<?mso-application progid="Word.Document"?>

When an XML file as shown above is parsed by the Windows operating system, it will automatically be launched with Microsoft Word.

At the time of this spam campaign, most of the open source and free malware analysis tools (like OfficeMalScanner) did not have the option to extract macros from these Word ML documents. Attackers may be attempting to circumvent these tools and prevent the analysis of the malicious macros.

One of the popular open source Python based OLE parsing tools, olevba.py, did not have the capability to extract the macros from these XML-based Word ML documents. olevba.py was updated after this spam campaign to add support for Word ML documents.

Malicious Word Document embedded in PDF – April 2015

The Dridex authors got creative by embedding malicious Word documents in PDF files. This was observed in their April 2015 spam campaigns.

To open the embedded malicious Word document automatically when the PDF file is opened with Adobe Reader, they included JavaScript in the PDF file.

Below is the snippet of JavaScript used to automatically open the embedded Word Document:

var a = this.dataObjects;

this.exportDataObject({cName:a[0].name, nLaunch:2});

Adobe Reader presents a security warning dialog box when an embedded Word Document is launched from a PDF in this way. Therefore, this attack requires user interaction for successful infection.

MIME based MS Office Files - May 2015

In the Dridex spam wave of May 2015, they embedded the malicious Base64 encoded and deflated OLEStream inside MIME files. The file header looks like the one below:

MIME-Version: 1.0

Content-Type: multipart/related; boundary="----=_NextPart_xxx.xxx"

The actual Base64 encoded and deflated OLEStream will be present in the following section of the MIME document:

Figure 4: Base64 encoded OLEStream

The Base64 encoded text will always begin with "QWN0aXZlTW" which corresponds to ActiveMime.

These MIME documents open automatically with Microsoft Word and the macros are executed; however, most of the open source and free malware analysis tools did not have the capability to extract and analyze these macros at the time of the spam campaign -- enabling them to evade detection.

The embedded macro in these MIME documents fetches the VBScript from pastebin.com as shown in Figure 5. This VBScript once again fetches the malicious payload from attacker controlled server as shown in Figure 6.

Figure 5: GET request to fetch VBScript from pastebin.com

This VBScript once again fetches the malicious payload from attacker controlled server as shown in Figure 6.

Figure 6: VBScript fetching malicious payload

We can see in this case that the Dridex authors have once again introduced an intermediate stage in downloading the malicious binary. They download a VBScript from pastebin.com as an intermediate step to prevent detection.

Below are some important points to note about these MIME-based files:

  • We also observed Excel files used in the spam campaign using a similar MIME based format.
  • The file header can be flexible. Even if we add multiple characters before " MIME-Version: 1.0", the files open successfully with Microsoft Word or Microsoft Excel.

Impact of Banking Trojans on Organizations

We have gathered statistics using our Dynamic Threat Intelligence (DTI) cloud to show the geographical- and timeline-based distribution of the two recently most active Banking Trojans, Dridex and Dyre. The graph in Table 1 shows the exposure rate distribution for different geographical regions:

Table 1: Exposure Rates for Different Geographical Regions: Exposure rate is calculated by the number of customers affected by Dridex and Dyre in a region divided by the number of all customers in the region.

The region most affected by Dridex and Dyre Banking Trojans is North America. The average exposure rate for the global region is 57.3%, which means that nearly 6 out of 10 organizations in the world were affected, and this is a significantly high number on a global level.