Latest Dridex Campaign Evades Detection with AutoClose Function

Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed.

Pushers of the Dridex banking malware have gone old-school for some time now, moving the malware through phishing messages executed by macros in Microsoft Office documents.

While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document.

The cat and mouse game between attackers and defenders took another turn recently when researchers at Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed.

The technique, which involves the inclusion of an AutoClose method, which helps the malware sample evade detection.

“The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” said a Proofpoint advisory. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.”

The use of this type of VBscript function, Proofpoint said, is effective against sandbox detection capabilities. Malware that delays execution isn’t necessarily a new evasion tactic, but attackers have been getting innovative about side-stepping security protections in place. For example, sandboxes and intrusion detection software became wise to short delays in execution times. By executing only when the document closes, this current string of Dridex seems to have taken the next step.

“As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether,” Proofpoint said. “No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.”

Dridex, once it’s implanted on the compromised machine behaves like most banking malware. It waits for the user to visit their online banking account and injects code onto the bank’s site and captures user credentials via an iframe.

Dridex and its cousin Cridex are members of the GameOver Zeus family, which is also adept at wire fraud. GoZ uses a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes.

Previous Dridex campaigns have spread via Excel documents laced with a malicious macro. Earlier this month, researchers at Trustwave found a spike of phishing messages using XML files as a lure. The XML files were passed off as remittance advice and payment notifications, and prey on security’s trust of text documents to get onto machines.

These older Dridex campaigns targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.