A variant of the bad penny that is Dridex, the general-purpose malware that has been around for years, now has macOS platforms in its sights and a new way of delivering malicious macros via documents.
The first sample of this latest variant appeared on Virus Total in 2019, but detections started to rise a year later and peaked in December 2022, according to threat researchers at Trend Micro.
However, while the Dridex variant has macOS systems in its sights, the malicious payload it delivers is a Microsoft exe file, which won’t run in a MacOS environment.
“It is possible that the variant we analyzed is still in the testing stages and has not yet been fully converted to work in MacOS-based machines,” Trend Micro threats analyst Armando Nathaniel Pedragoza writes in a report.
However, Pedragoza noted that the variant overwrites document files that then carry Dridex’s malicious macros, adding that “it’s possible that the threat actors behind this variant will implement further modifications that will make it compatible with MacOS.”
Dridex started off as a banking trojan targeting Windows systems and has over the years evolved to include information-stealing and botnet capabilities. It also has shown a lot of resilience. It was essentially taken down by the FBI in 2015 and four years later the US put a $5 million bounty on two Russian nationals accused of being linked to the threat group Evil Corp, which was behind both Dridex and Zeus, another banking malware.
According to Check Point researchers, Dridex is still most often used as a trojan against financial institutions – it was the fourth most prevalent malware variant in 2021, they wrote last year – but it continues to evolve, which has helped keep it relevant on the cyberthreat scene.
For example, a new variant in September 2021 expanded the info-stealing capabilities and it was used in a phishing campaign that delivered malicious Excel documents. Dridex also was among the top malware abusing the widespread Log4j vulnerability in December 2021, according to Check Point.
“Despite its age, it continues to be used, and in fact has even seen many enhancements over the years,” Trend Micro’s Pedragoza writes. “Its entry point into the user’s system has traditionally been through email attachments, but this blog entry illustrates that the malicious actors using Dridex are also trying to find new targets and more efficient methods of entry.”
Like other malware, Dridex typically delivers documents that carry malicious macros to a victim’s system through email attachments that look like normal document files, he wrote. The sample Trend Micro investigated comes in the Mach object file format (Mach-o), a file format in macOS.
Once in, the payload is assembled and the malware searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file, Pedragoza wrote.
In addition, the affected .doc files then contain macros and suspicious components. One object includes the autoopen macro that calls the malicious functions, which look like normal functions with regular names. The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file.
Microsoft last summer blocked Visual Basic for Applications (VBA) macros in downloaded Office documents as defaults in order to shut down that route used by miscreants. Despite this, the malware in the Dridex variant “will overwrite all the document files for the current user, including the clean files,” he wrote. “This makes it more difficult for the user to determine whether the file is malicious since it doesn’t come from an external source.”
The Dridex variant may not be a significant immediate threat to macOS systems, but the capabilities in it imply that’s the direction the operators are headed in.
“Currently, the impact on macOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments),” Pedragoza writes. “However, it still overwrites document files which are now the carriers of Dridex’s malicious macros.” ®