Banking Trojan DRIDEX Uses Macros for Infection
Included in our predictions for the upcoming year is that more severe online banking and other financially-motivated threats will arise. It seems that we didn’t have to wait for 2015 to see proof of this prediction. We recently came across banking malware that features new techniques to cast a wider net for victims and avoid detection. This malware, known as DRIDEX, is being touted as the successor of the banking malware CRIDEX.
The appearance of DRIDEX comes a couple of years after CRIDEX’s entry in the threat landscape. Both CRIDEX and DRIDEX steal personal information, specifically related data to online banking. DRIDEX is considered as the successor because it uses a new way to steal information—via HTML injections.
However, there is a major difference between the two. CRIDEX malware is one of the payloads associated with exploit kit spam attacks. DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code. The macro code downloads DRIDEX onto the affected system.
The DRIDEX Infection Chain
As mentioned, DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
Figure 1. Sample spammed message
The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled—which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware, specifically TSPY_DRIDEX.WQJ, onto the computer.
Figure 2. Malicious attachment instructing users to enable the macro feature
Once executed, the malware then monitors for activity related to online banking. Its configuration file contains a list of banks, most of which are based in Europe. Some of the targeted banks include:
- Bank of Scotland
- Lloyds Bank
- Danske Bank
- Kasikorn Bank
- Triodos Bank
It then performs information theft through methods like form grabbing, screenshots, and site injections.
Macros Versus Exploit Kits
The use of macros is a marked departure from CRIDEX’s infection chain, which relies on the Blackhole Exploit Kit. The move to macros could be seen as one way of ensuring a higher chance of successful attacks.
Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature.
The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature.
The use of macros also poses challenges for detection because of the insertion of garbage/useless code.
Figure 3. Garbage code found in DRIDEX malware
Based on feedback from the Smart Protection Network, users from Australia are the most affected by DRIDEX, followed by users in the U.K. and the U.S.
Figure 4. Top affected countries, based on data from September-October 2014
We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
Figure 5. Top DRIDEX spam sending countries
Macro-based attacks were popular in the early 2000s but they appear to be experiencing a revival these days. This just shows that “newer” attacks can come in the form of old techniques, which can be successful especially if victims are not aware of these older techniques. For macro-based attacks, it’s best to make sure to enable the macro security features in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings.
It might be tempting to open emails that are related to finances but users should avoid opening such emails until they can confirm the legitimacy of the email. These attacks rely on social engineering for success so exercising some caution can mean the difference between protection and infection.
Trend Micro, through the Smart Protection Network, protects users from all threats related to this attack. Our Web Reputation Service, which tracks the credibility and safety of web domains, blocks access to malicious URLs. The Email Reputation Service scans emails and blocks those that contain spam-like and malicious content, including links and attachments. Meanwhile, our File Reputation Service checks the reputation of files against our database and flags those that contain malicious and suspicious behavior.
The following are the related hashes for the said attack:
Malicious .DOC files:
With additional insight from Joie Salvio.