With the holiday season upon us and Log4j-nia still keeping most of us awake at night, we want to revisit an old chum who continues to operate in full swing amidst the chaos. With fresh tactics at their disposal, Dridex continues to target large organizations with somewhat elaborate lures to ensure user interaction and infection. On Monday, December 15th we noticed an uptick in the amount of verified malware hiding behind password-protected Microsoft Excel spreadsheets, specifically ones containing the dated "macrosheet" functionality. One of the ongoing experiments we have running atop of InQuest Labs data is a limited brute force of these suspicious files. We will be exploring additional evasion methods leveraged by the Dridex campaign to deliver the payload.
At first glance, the samples containing image lures appear to be using blurred documents to entice users to enable macros. We have observed a variety of different subject lures during this campaign including a CDC COVID-19 form along with a fake resume, a personnel form and fake spreadsheets. As seen in the last two lure images, attackers seem to also be masquerading as the NPD group and their DecisionKey reporting software.
Continuing the trend of delivering initial stage content via maldocs, Dridex has shifted to generating random numerical passwords to protect attached Microsoft Office docs. Dridex operators have gone as far as crafting emails that appear to be legitimate team/department memos and instructions. What follows are examples of these emails sent containing passwords to decrypt the attached documents.
|Body:||All the group leaders, staff, and concerned membersThis is being informed to you that from 22th December the office will work according to the new working time that has been agreed by all the board of directors in the annual general meeting held today. Following are the details of the new timings.All the staff members and personnel are requested to make note of the timing and come to office as per the new time from the mentioned date.Please e-sign the attached document till the end of the day.excel is secure encrypted PW 61164All the group leaders, staff, and concerned membersThis is being informed to you that from 22th December the office will work according to the new working time that has been agreed by all the board of directors in the annual general meeting held today. Following are the details of the new timings.All the staff members and personnel are requested to make note of the timing and come to office as per the new time from the mentioned date.Please e-sign the attached document till the end of the day.excel is secure encrypted PW 86819|
|Body:||Due to new federal law from December, 16th (more information is in the attached document):- All unvaccinated employees (with no exceptions) have to make their shot until December, 17th. Those who will not do it in time will be dismissed without warning. Please, find more information in the attached document.- All vaccinated employees from COVID-19 must immediately view attached document for instructions. It informs you on the consequences of lying about vaccination.Please fill out the form in the attached document excel is secure encrypted PW 74826 Due to new federal law from December, 16th (more information is in the attached document):- All unvaccinated employees (with no exceptions) have to make their shot until December, 17th. Those who will not do it in time will be dismissed without warning. Please, find more information in the attached document.- All vaccinated employees from COVID-19 must immediately view attached document for instructions. It informs you on the consequences of lying about vaccination.Please fill out the form in the attached document excel is secure encrypted PW 37129|
An effective evasion method to slow analysis efforts, especially if one is not actively cracking documents or zip archives as password protected content continues to become more mainstay amongst malware families. Once cracked, we notice a macrosheet containing suspicious content; and with a little deobfuscation, we have our first clues.
As we can see, the macro calls an embedded .vbs file that fetches the next step of the attack chain. Using Discord’s CDN servers for distribution as threat actors have been leveraging heavily in recent campaigns, Dridex fetches a .bin that fetches additional payloads upon execution. The payloads specific to Dridex are easily identifiable by URI pattern/file name, which will not be published due to the racially insensitive nature of their naming convention.
Like any campaign, we can expect that future iterations of Dridex will change tactics and become more elusive. Changes observed between now and the numbered password uptick see slight changes in URI patterns and lure messages. We will continue monitoring these changes as the Dridex campaign continues on.
As we get together with loved ones this season, we must remain vigilant of those seeking to rain on our revelry as we move into the new year. From all of us at InQuest: stay safe, happy holidays and happy new year.
InQuest customers are protected against this and other forms of password-protected evasion tactics through a unique email content sourced password cracking algorithm. If you're curious to read more, schedule a brief or request an email attack simulation.
Termination letter changes.xls
Termination of 12-2021.xls
InQuest Labs Original Corpus
InQuest Labs Cracked Corpus