According to the latest research, a variant of the infamous Dridex banking malware has set its sights on Apple’s macOS operating system using a previously undocumented infection method.
It “adopted a new technique to provide users with documents containing malicious macros without having to impersonate invoices or other company-related files,” Trend Micro researcher Armando Nathaniel Pedragoza said in a technical report.
Dridex, also known as Bugat and Cridex, is an information stealer known for harvesting sensitive data from infected machines and delivering and executing malicious modules. It is attributed to a cybercrime group known as Evil Corp (aka Indrik Spider).
The malware is also considered a successor to Gameover Zeus, itself a successor to another banking trojan called Zeus. Previous Dridex campaigns targeting Windows used macro-enabled Microsoft Excel documents sent via phishing emails to deploy the payload.
A law enforcement operation orchestrated by Europe and the United States disrupted the botnet in October 2015 and a Moldovan national by the name of Andrey Ghinkul was arrested for his role as administrator of the operation. In December 2018, Ghinkul was sentenced to time served in US federal court following his extradition in February 2016.
Subsequently, in December 2019, the US Treasury Department imposed sanctions on Evil Corp and announced a $5 million bounty against two key members Maksim Yakubets and Igor Turashev. Despite these efforts, Dridex has continued to evolve, proving to be a resilient threat.
Trend Micro’s analysis of Dridex samples involves a Mach-O executable file, the oldest of which was submitted to VirusTotal in April 2019. Since then, another 67 artifacts have been detected in the wild, some as recent as December 2022.
The artifact, for its part, contains a malicious embedded document – first detected in 2015 – that embeds an auto-open macro that runs automatically when opening a Word document.
Additionally, the Mach-O executable is designed to find and overwrite all “.doc” files in the current user directory (~/User/{username}) with malicious macro code copied from the document embedded in the form of a hexadecimal dump.
“Although Microsoft Word’s macro functionality is disabled by default, the malware will overwrite all current user’s document files, including own files,” Pedragoza explained. “This makes it harder for the user to determine if the file is malicious because it is not from an external source.”
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party access to your company’s SaaS applications? Join our webinar to learn more about the types of permissions granted and how to minimize risk.
RESERVE YOUR PLACE
The macros included in the overwritten document are designed to contact a remote server to retrieve additional files, which include a Windows executable file that won’t run on macOS, indicating the attack chain could be a work in progress. The binary, in turn, attempts to download the Dridex loader onto the compromised machine.
While documents containing booby-trapped macros are typically delivered via social engineering attacks, the results once again show that Microsoft’s decision to block macros by default prompted threat actors to refine their tactics and find more efficient methods of entry.
“Currently, the impact to macOS users for this Dridex variant is minimized since the payload is an .EXE file (and therefore not compatible with macOS environments),” Trend Micro said. “However, it still overwrites document files which now carry the malicious Dridex macros.”
