The actors distributing the Dridex banking trojan switched tactics again this week. In their latest campaign, distributing Dridex botnet 7200, the criminals have switched to using PDF files, with links to macro-enabled documents which finally download the Dridex payload.
Examining the infection chain further, the initial attack vector is a PDF file attached to an email message. The pdf has a /URI object embedded which links to the second stage of the attack.
The pdf file attached to the email is a blank document with a single image which contain link objects like the following:
The PDF files have very low detection on VirusTotal:
The link is an image of a reCAPTCHA click box using social engineering to encourage the victim to click on it:
The linked URI object points to the second stage of the attack which consists of a macro enabled document. The document uses standard social engineering encouraging the user to disable the security protecting against macro attacks by enabling active content as shown below:
As usual, the VBA code is heavily obfuscated:
Ultimately the VBA downloads and executes the final payload using cmd.exe and powershell.exe. The malicious PowerShell command after (partial) deobfuscation which is used to download the final payload looks like this:
During our research we found the final payload to be a Dridex binary.
The Dridex IOC’s for the pdf, doc, and binary that were analyzed in this post:
Dridex payload md5: db05a65efdeef1787aa70c519358b403
Dridex payload URLs:
precisionsec analysts are constantly monitoring the actors behind the Dridex banking trojan for changes in tactics, techniques and procedures (TTP’s. Check out our Dridex IOC feed which is continuously updated with the latest Dridex data.