Research

Dridex Delivered by Malicious PDF Files

The actors distributing the Dridex banking trojan switched tactics again this week. In their latest campaign, distributing Dridex botnet 7200, the criminals have switched to using PDF files, with links to macro-enabled documents which finally download the Dridex payload.

Examining the infection chain further, the initial attack vector is a PDF file attached to an email message. The PDF has a /URI object embedded which links to the second stage of the attack.

The PDF file attached to the email is a blank document with a single image which contains link objects like the following:

PDF /URI object embedded in the malicious document, linking to the second stage of the attack

The PDF files have very low detection on VirusTotal:

VirusTotal showing very low detection for the malicious Dridex PDF

The link is an image of a reCAPTCHA click box, using social engineering to encourage the victim to click on it:

Fake reCAPTCHA click box used as a social-engineering lure inside the PDF

The linked URI object points to the second stage of the attack, which consists of a macro-enabled document. The document uses standard social engineering, encouraging the user to disable the security protecting against macro attacks by enabling active content, as shown below:

Macro-enabled document using social engineering to prompt the user to enable active content

As usual, the VBA code is heavily obfuscated:

Heavily obfuscated VBA macro code inside the malicious document

Ultimately the VBA downloads and executes the final payload using cmd.exe and powershell.exe. The malicious PowerShell command after (partial) deobfuscation, used to download the final payload, looks like this:

Malicious PowerShell command, after partial deobfuscation, used to download the Dridex payload

During our research we found the final payload to be a Dridex binary.

Indicators of Compromise

The Dridex IOCs for the PDF, document and binary analyzed in this post:

PDF MD5s:

12f020fcf87eb2eae082aee32a36589a
97590947ec28a7bac0a2303db4cc9724
ff826f5f3af55234aa317824e1dc2c51

Document URLs:

hxxp://altosdequiteno.com/MSG00098630102018.doc
hxxp://apcontra.com/MSG00705330102018.doc
hxxp://tanbethinho.net/data/1_0_30.doc

Dridex payload MD5: db05a65efdeef1787aa70c519358b403

Dridex payload URLs:

hxxp://ferienimboden.com/kjydc33rf
hxxp://smarterbaby.com/kjydc33rf
hxxp://rentwestq.com/kjydc33rf
hxxp://hwayou.com.tw/kjydc33rf
hxxp://leicon.it/kjydc33rf

PrecisionSec analysts constantly monitor the actors behind the Dridex banking trojan for changes in tactics, techniques and procedures (TTPs). Check out our Dridex IOC feed, which is continuously updated with the latest Dridex data.

← All research