{"id":1019,"date":"2024-08-27T16:23:50","date_gmt":"2024-08-27T16:23:50","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1019"},"modified":"2025-07-28T09:34:57","modified_gmt":"2025-07-28T09:34:57","slug":"crib-notes-dridex-creeping-credential-stealer","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-dridex-creeping-credential-stealer\/","title":{"rendered":"CRIB NOTES: Dridex \u2013 creeping credential stealer"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

The credential-stealing Dridex malware family has typically been used to steal banking credentials and target Financial Institutions \u2013 with a particular focus on the Windows platform. It first surfaced in 2012 and, until recently at least, its exploit of choice was malicious macro-mache documents delivered as spam. Dridex distribution disappeared for seven months from August 2016 before recently resurfacing.<\/p>\n\n\n\n

Recently: <\/strong>In January 2022, the actors behind Dridex quickly adapted to exploit a newly discovered flaw. They were rapidly able to weaponize a Microsoft zero-day which they used to target millions of recipients, primarily in Australia. Email attachments were still the favored delivery method, however the attachment was now an RTF file purporting to be a scanned document. Once the user opened the file and agreed to \u2018Enable Editing\u2019, the exploit executed.<\/p>\n\n\n\n

Microsoft patched the zero-day Vulnerability (CVE-2017-0199) in its April Patch Tuesday release.<\/p>\n\n\n\n

Technically:<\/strong> In this year\u2019s return, the campaign continued to use email and malicious attachments as the preferred deliver method. A collection of spoofed sender addresses are included below:<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>\n\n\n

In the days leading up to April\u2019s zero-day campaign, Dridex\u2019s authors were carrying out one of their more traditional campaigns. A lot has been written about the zero day campaign, so rather than parrot what others have written, I suggest you read Proofpoint\u2019s analysis. Instead, we\u2019re going to take a closer look at the initial campaign because this is more likely to mirror their next attack.<\/p>\n\n\n\n

The first campaign included .pdf attachments with two JavaScripts which dropped one or more document (.docm) files into the infected host at the \u201cTEMP\u201d folder.<\/p>\n\n\n\n

The malicious PDF also contained code to understand the targeted environment\u2019s proxy settings and Windows installation date.<\/p>\n\n\n\n

The dropped (.docm) file doesn\u2019t contain any readable content but rather contains malicious VBA script where the URL to download the actual payload has been coded:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

The payload from the above malware repositories contains the following file attributes:<\/p>\n\n\n\n

\n

Filename: 117da8ef79cb0d96c1c803709bd4827f.exe<\/strong><\/p>\n\n\n\n

Description: Windows PE32 executable<\/strong><\/p>\n\n\n\n

SHA: 6739c782d114307deaac42120a7061f51f9e74a86f1e60664997a269784143f2<\/strong><\/p>\n<\/div><\/div>\n\n\n\n

Analyzing the downloaded PE32 windows file further shows us the \u201c.rdata\u201d section has the highest entropy value. The code randomness in this section means it might be responsible for accessing both the executable code and malicious memory.<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>\n\n\n

Let\u2019s take a closer look at the emails the attackers were sending. A number of spoofed addresses from UK retailer 123-reg were used in the campaign:<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>\n\n\n

These addresses were used to send a phishing email posing as 123-reg\u2019s customer service team. Each email contained the malicious PDF file. The body of the email is below:<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>\n\n\n

The PDF attachment was basically TrojanDownloader:O97M\/Donoff, which contains two JavaScripts and one embedded DOC file with macro-enabled code. This is a classic Dridex play that we expect to see again in the future. The DOCM file drops itself on multiple locations once executed by the User (opening the PDF file).<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>\n\n\n

The dropped file downloads the actual payload from the hardcoded URL\u2019s specified on the macro code of the DOCM file. However, one particular divergence we see in this campaign is that the URL mentioned to download the Dridex payload in the dropped DOCM file is unique and varies from sample to sample. This is believed to allow DRIDEX to maximize its download share while evading URL reputation services.<\/p>\n\n\n\n

Prevalence: While Dridex was largely dormant for more than half a year, its sudden resurgence in two full-strength consecutive campaigns has forced the security community to rethink the malware distribution channels and their capabilities. Particularly when used to bring about the successful comeback of a retired malware.
Mitigation: In terms of the zero-day mentioned earlier in the piece, Microsoft patched this flaw in April \u2013 if you haven\u2019t updated, you should probably stop reading this and go do that now.<\/p>\n\n\n\n

While, technically, there are some things security practitioners can do to mitigate against these attacks, Dridex has always included a phishing element. Everyone should exercise caution with emails from unknown senders and \u2013 as a rule \u2013 never open attachments from unknown senders (Are you reading this mum?)<\/p>\n\n\n\n

Targets: Although Dridex\u2019s most recent campaign focused on Australian banks, it has also been used to target Financial Institutions across the globe including the UK, US, Scotland and Switzerland.<\/p>\n\n\n\n

Attribution: Attribution is always difficult and with Dridex it is no different. We can, however, say that the organization behind Dridex is extremely professional \u2013 even going so far as to maintain a Monday to Friday work week.<\/p>\n\n\n

\n
\"\"\/<\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"

The credential-stealing Dridex malware family has typically been used to steal banking credentials and target Financial Institutions \u2013 with a particular focus on the Windows platform. It first surfaced in 2012 and, until recently at least, its exploit of choice was malicious macro-mache documents delivered as spam. Dridex distribution disappeared for seven months from August 2016 before recently resurfacing.<\/p>\n","protected":false},"author":1,"featured_media":1028,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1019","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1019"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1019\/revisions"}],"predecessor-version":[{"id":4083,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1019\/revisions\/4083"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1028"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}