So, today we are going over the Trojan called “Dridex”. This Trojan targets its victims banking information. This malware originated in 2014 and has consistently been updated by attackers. Let us begin.

What is Dridex Malware?

As mentioned in the intro it’s a Trojan malware that targets bank information. Dridex comes in the form of spam emails then prompted to a malicious office document. Depending on how many emails you have, your spam folder is filled with hundreds of fake email waiting for you, or a victim to click on those malicious links. For example, I went to my personal email to see if I could find one in my inbox, but I had no luck. But luckily for me, I found a screen shot from another article as well as some screen shots on twitter. It would look something like this.

Abrams, L. (2020, December 25). Fake Amazon Gift Card Emails Deliver the Dridex Malware. BleepingComputer. https://www.bleepingcomputer.com/news/security/fake-amazon-gift-card-emails-deliver-the-dridex-malware/.

Congratulation you won a free 100-dollar gift card, just for checking your spam folder! I wonder what other prizes are in our spam folders!

Young, N. (2019, May 10). The Funniest Spam Emails Of All Time - Geek Alabama. Geek Alabama. https://geekalabama.com/2019/05/09/the-funniest-spam-emails-of-all-time/

All jokes aside, people everyday fall victims to these types of attacks. People who are financially struggling, elderly people who don’t know any better, or gullible people. These attackers don’t care and will target anyone. In the future I will write a blog on what I do to provide the best endpoint security for my PC. But now back to Dridex. Once you have clicked the link affiliated with the email. It will download the malicious Office documents such as word, excel. Here is an example.

Abrams, L. (2020, December 25). Fake Amazon Gift Card Emails Deliver the Dridex Malware. BleepingComputer. https://www.bleepingcomputer.com/news/security/fake-amazon-gift-card-emails-deliver-the-dridex-malware/.

From here, you have not yet been fully pwned. All the victims must do now is click enable content at the top.

The result of Dridex

Once the victim has clicked enable content, that is the moment that you have been hacked or pwned. I prefer to say pwned. But we must ask ourselves, why is the "enable content" key the result of my being hacked? By clicking "enable content," you allow macros. But what exactly are macros and what do they do? Once enabled, macros are a feature in Microsoft office programs such as Word and Excel that can automate a task. This is a useful tool that developers use, as well as people who use it for work. However, you can see how this can be used maliciously. Attackers can implement keyloggers, insert ransomware, reverse web shells. You can put all the pieces together to see how easy it makes it for the attacker, especially someone in a company who has not been trained properly in social engineering. Another example is a small business who cannot afford to train all their employees.

Dridex types

Now we’re going over the technical side of this malware. We did a quick overview of how it gets to their victim, how to enable the malware, and the consequence once commenced. I want to credit Patrick Shlapfer from HP for writing an amazing article breaking down Dridex. Here is the link to their article. The Dridex loaders we are going over today is VBA Macros, and Excel 4 Macros. Here is a visual diagram.

Shlapfer, P. (2021, January 19). Dridex Malicious Document Analysis: Automating the Extraction Of Payload URLs | HP Wolf Security. HP Wolf Security. https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/#post/0.

Seeing the diagram, we can see that both VBA macros, as well as excel macros are similar when deploying the malware. When using VBA Macros two popular methods is generating a encoded shell command, which calls for powershell to download the payload, then loads the payload from a URL. A second way using VBA macros is a more popular way which is when the loader is store in the excel worksheet however the data is encoded, that’s when the victim “enables contents” the VBA code loads from the malicious document and decodes it. The decoded data being a list of hundreds of malicious URLS, and it untimely chooses one malicious URL at random.

Conclusion

Every day it seems like you hear more and more about companies being hit with all sorts of malware. It has now become a normal occurrence. You hear about it, discuss it with others, and watch YouTube videos about it. Log4j, Dridex, ransomware, etc. It’s only going to get worse. That's why we must understand what we can do to mitigate against these types of attacks, which all go back to human error. It’s fun doing these types of research papers because it educates me on malware, as well as gives me the curiosity to test it out in a sandbox environment. At the time of me typing this, a popular YouTuber with millions of subscribers has just been hit with Dridex malware. It's funny how timing works. Here is the link that redirects to Twitter. Have you been a victim of malware? I’m curious to hear if you have! Feel free to reach out to me with any link I have provided. Happy Holidays!