Dridex comes via Russian doll-style infection scheme

Apr 28, 2015 17:55 GMT  ·  By
URL for downloading Dridex is available as a GUADALUPE variable in the macro
   URL for downloading Dridex is available as a GUADALUPE variable in the macro

A less common method for delivering banking malware is currently being used in the wild, welding Microsoft Word documents, malicious macros and PDF files into a single item.

The regular technique consists of foisting threats via email messages that lead the recipient to an executable file pretending to be a harmless text document or by lacing Word documents with a macro script that downloads the malware.

Malicious files are hard to detect

However, researchers at Avast have found that the latter method has evolved and now embeds the Word document into a PDF, which is what the potential victim sees in the message.

The ruse is an email claiming to deliver details of financial nature enclosed in an attached PDF. However, the Adobe document is rigged with a JavaScript code and the DOC file containing the macro that holds the nefarious commands.

When the user launches the seemingly innocuous PDF, the JavaScript drops and executes the DOC. Users still have to activate support for macros, though.

“Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files,” says Jan Širmer from Avast.

Dridex is at the other end of the connection

During the analysis of the macro, the researchers found that it connected to URLs that were unique for each sample of the malware, a variant of Dridex banking Trojan that evolved from the infamous Zeus.

The purpose is to steal credentials for accessing banking accounts, as well as logins for Google and Microsoft services. Among the targeted banks are Santander, which operates in the Northeastern part of the United States, and Ulster, a reputable financial institution from Ireland.

The top recommendation from the researchers is to run only the latest versions of software products on the computer. Additionally, users should pay attention to suspicious-looking emails coming from unknown sources. In the case of messages claiming to contain financial information, the sender should be verified before opening any documents.