D3T3CT to PRoT3CT — Dridex Malware
--
tl;dr ⏳
This writeup looks at the dridex malware with an objective to hunt it down!
For that we do a reverse of it as far as possible so that we know some sections of the #killchain as the malware traverse through along with its IOC’s & IOA’s and finally to create detection logics which aligns with our objective.
Rex Dridex🐛
Dridex is a banking trojan/malware commonly distributed through phishing e-mail spam campaigns containing malicious #Excel documents.
I loved it calling rex, so will call it as rex 👽
Researchers have tied Dridex operations to other malware toolkits such as Ursnif, Emotet, TrickBot, and DoppelPaymer ransomware.
Reversing the Rex🚧
Note: As mentioned in tl,dr: this article will not focus on malware reversing as our aim is to hunt with correct detection logics.
The sample I reversed, is from a twitter post where a security researcher discussed about Dridex using a different logic to convince the victim.
As we knew one of the key vector or the golden path to infect, which has been used by dridex threat actors were to send malicious Excel documents leveraging the underlying Excel 4.0 macro (XLM) functionality.
But with the recent announcement by Microsoft on disabling Excel 4.0 macros by default to protect users, this vector might be a ballgame!
This made me curious enough to know, if there is any new tactics being used.
Sample Details:
SampleName:AnnualXretirementXplan.54254564.xlsb
MD5:18662d6c1cc7c38c848608ff1a22964f
First seen:2021–10–11 14:26:40 UTC
As soon the victim opens this document (there are chances with respect to the name of the file), they see two notifications being popped up: Edit Anyway /Enable Content. I am guessing threat actors are migrating from enable content to edit anyway😅!!
Low detection in VT .. hmm…💭
With all this in mind, our aim is to see what's inside the Macros!
The journey didn't threw light at the end of this macro tunnel, instead I ended up in apparently openxml formatted sheets shown below:
With few hours of online surfing, through high and low tides, I finally decoded the macro!!!! (Code is sanitized a bit. Please use the scripts only if you know what you are doing!!)
Yayyy 👹 🎉 !! With this, we knew the path this dridex makes on its way to its beloved one’s.
Tactics:
1) Check if the affected system belongs to Domain/Workgroup and accordingly each #if case switches are called.
2)Excel spawning WMIC
3) WMIC calling MSHTA
4)Stager malware: RTF files
5) Stager Location: C:\\ProgramData\
6)MSHTA downloads the payload from discord cdn
7)Running .dll payloads with rundll32.exe
Payload IOCs [Threat Intel]:
https://cdn.discordapp.com/attachments/<…>
[Please refer to the above de-obfuscated script for complete URL]
Hunting the Rex 🏹
MITRE ATT&CK
So from this section, we will start creating hunt logics to hunt it down!
With the tactics we have, we can map it with Mitre Att&ck Framework to build the custom logics. (Note: Below mentioned are focused on this particular dridex version, and are subjected to change as tactic/malware changes)
User Execution: Malicious File (ID: T1204.002)
Tactic: Execution
Data Sources: File: File Creation, Process: Process Creation
Basic Logic Schema:
We should be monitoring all the suspicious child process spawned from MS Office products!
Parent Process: *\\excel.exe
Child Process: *\\wmic.exe
Monitor suspicious WMI activities (ID: T1047)
Tactic: Execution
Data Sources: Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation.
Basic Logic Schema:
We should be monitoring all the suspicious wmi commands being triggered
Process: wmic.exe
CommandLines: *process call create*
Monitor suspicious MSHTA activities (ID: T1218.005)
[Signed Binary Proxy Execution: Mshta]
Tactic: Defense Evasion
Defense Bypassed: Application control, Digital Certificate Validation
Basic Logic Schema:
We should be monitoring all the suspicious mshta activities/child process being triggered
Process: mshta.exe
event.id: 3 (network connections via sysmon logs)
In this case, #mshta is making netconns to #Discord CDNs
In my lab setup, all the dns traffic are redirected/sinkholed , so mshta.exe would be next connecting to this sink IP via http/ssl thinking its the discord cdns 😈
Lastly, the payloads downloaded are DLL files. So these gets executed easily with rundll32.exe (Note: This stage didn’t happen in my case as queries were sink holed, also didn’t try running it manually.)
Signed Binary Proxy Execution: Rundll32 (ID:T1218.005)
Tactic: Defense Evasion
Defense Bypassed: Anti-virus, Application control, Digital Certificate Validation being triggered
Basic Logic Schema:
Process: rundll32.exe
event.id: 1
CommandLine: Lookout the commands/dlls being loaded from suspicious file paths.
I see.. I see… IOCsss 👀
From the de-obfuscated script aforementioned, we knew from where the payloads are getting downloaded!!
So next is add those to your watchlists, staxx, misp etc!!!
Word of Caution:⚠️
>>Malware is ran in an isolated lab environment with data logged into ELK stack
>>Do not attempt to run the scripts/malwares unless you know what you are doing
>>Every logic needs to have additional queries with suppressions depending on the environment you are hunting on and the security tools you are using to do.
>>Complete analysis is based on a domain joined machine
References:📕
[1].https://attack.mitre.org/
[2].https://blog.checkpoint.com/2021/05/13/april-2021s-most-wanted-malware-dridex-remains-in-top-position-amidst-global-surge-in-ransomware-attacks/
[3].https://github.com/LunaMarginis
[4].https://www.virustotal.com/gui/file/93f5cb2c91d12817661874b6b9c2880e16be1ba502c61e5b4bfba8e866aa4301
[5].https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex
