Dridex Banking Malware Targets MacOS users with a new delivery method

The Dridex financial virus has been updated by Trend Micro experts to target the MacOS operating system and distribute documents containing malicious macros using a new method.

The Dridex banking Trojan has been around since 2014 and has undergone continual improvement thanks to the multiple attacks against financial institutions it has been a part of. The cybercriminal organisation known as Evil Corp is thought to be responsible for the banking virus.

The Mach-o executable file a.out served as the sample that Trend Micro examined (detected asTrojan.MacOS.DRIDEX.MANP).

The earliest sample Trend Micro examined was sent to VirusTotal in April 2019, while the most current was sent in December 2022.

The malicious document is embedded in the sample’s data segment, which the _payload doc variable uses. The virus executes a loop in which the contents of _payload doc are duplicated until the counter hits _payload doc len, the size of the malicious code, according to the disassembly. reads Trend Micro’s analysis, which was published. The “cstring segment plays a part in overwriting the code to the target files once the malicious code is ready.”

Researchers discovered that the affected.doc files comprise the ThisDocument object that contains the autoopen macro that calls the malicious routines when the infected document was initially discovered in 2015.

The find -name “*.doc” command is used by the malware to begin looking for.doc files in the current user’s (/User/user name) directory. The malicious code is then written using the echo ‘%s’ command after the programme uses a for loop to iterate through each document file I A plain hexadecimal dump contains the harmful macro code that was copied from the embedded page.

“While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files. This makes it more difficult for the user to determine whether the file is malicious since it doesn’t come from an external source.” continues the post.

The macros in the overwritten document connect to a remote server to retrieve additional payloads. Experts also noticed that the malware also drops an .exe file that will not run in a MacOS environment, a circumstance that suggests that the malicious code is still in the testing stage.

“While documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings once again show that Microsoft’s decision to block macros by default has prompted threat actors to refine their tactics and find more efficient methods of entry.

“the malicious actors using Dridex are also trying to find new targets and more efficient methods of entry.” concludes the report. “Currently, the impact on MacOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments). However, it still overwrites document files which are now the carriers of Dridex’s malicious macros. Furthermore, it’s possible that the threat actors behind this variant will implement further modifications that will make it compatible with MacOS.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.