Blog Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs

January 19, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs

Introduction

The last three months of 2020 saw a sustained increase in malicious spam distributing Dridex malware. The number of Dridex samples isolated by HP Sure Click more than tripled in Q4 compared to Q3, representing a 239% increase. According to HP Sure Click telemetry, Dridex is currently the second most widely circulating crimeware family behind Emotet. Although originating in 2012 as a banking Trojan, since 2017 Dridex’s operators have increasingly shifted their tactics to delivering ransomware.

Dridex’s distributors commonly propagate the malware using malicious Office documents (maldocs) that download the Trojan from a remote web server. Interestingly, since mid-2020 a variant of these maldocs started containing hundreds of URLs from which to download the malware. This technique makes the loader more resilient to takedown action by hosting providers and domain registrars. It also increases the likelihood of successfully downloading the payload. Instead of blocking one URL, network security controls such as web proxies would need to block hundreds of URLs to prevent the malware from being downloaded.

Following this change to Dridex’s first stage loader last year, we collected samples and analyzed them. This article gives an overview of how the payload URLs are stored and decoded. We also provide a Python script that extracts the URLs to assist security teams in their blocklisting efforts.

Dridex’s Excel loader

We focused primarily on the Excel format loader for this analysis because it was by far the most common file type we encountered. Dridex also has a Word dropper, which we’ve previously written about. As opposed to a dropper, a malware loader contains at least one network destination which is used to download a payload. This allows the loader to be small but necessitates communication over a network to install the malware. The Dridex loader generally uses the approach shown in Figure 1 to download its payload.

Figure 1 – Typical Dridex infection chain.

Dridex loader types

We identified several types of Dridex loader that each uses a different way to download and execute the payload. Sometimes the document used a Visual Basic for Applications (VBA) macro, Excel 4 macro or both to execute code. The loader uses either PowerShell or Windows API calls to open a network connection and download the payload. We can split Dridex’s loaders into two types based on how the code is executed:

Code executed using Excel 4 macros

The first type of loader uses Excel 4 macros to generate PowerShell code or call Windows API functions to download the malware. In both cases, the loader only downloads the payload from one URL.

Code executed using VBA macros

The second type of loader uses VBA macros to download Dridex. This type of loader uses different methods to achieve this. One way is by generating an encoded shell command, which calls PowerShell to download the payload. The loader also only downloads the payload from one URL.

A second, and more notable, method used by this type of loader stores encoded data in an Excel worksheet. When run, the VBA code loads the data from the worksheet and decodes it using one of many routines. The decoded data is a list of hundreds of URLs, from which one is randomly chosen to download Dridex. The sheer quantity of payload URLs is unusual for a loader, so we decided to analyze this download mechanism in more detail.