Dredex — the next way to drop Dridex on your users brain
Dridex is a pest, a ramshackle criminal construction designed to silently snaffle money from UK businesses. It won’t go away, despite being made of slapped together, glued with open source code, some good luck, some nice new attack ideas, and much terrible infrastructure.
The latest Office document works with macros disabled, and Office security options in Group Policy turned to their maximum.
If you work in a high security environment where you’ve actually enabled security controls in Office, pay attention.
If you work in the UK, you have probably seen the prior Dridex emails. Legitimate looking invoices, remittance advice, with nice email signatures and headers strongly suggesting some of the emails have been pinched from real Exchange servers. There’s a Word or Excel document. It’s blank. There’s a macro. You tell your employees not to open the macros, and there’s a big yellow bar warning them not… But they all open the macros anyway.
Antivirus software generally misses the attachments and often the payloads, and your PCs end up talking to servers in Russia. Those Russian C&C servers are chock full of UK businesses getting their financials owned — logins to business banking systems are automatically extracted from systems.
The emails addresses are usually spoofed. If you’re the company spoofed, your email server probably broke. Your email hosting company probably plunged offline — for a few hours or a week, usually. The reason is this: they get so many bounce emails, out of office emails, reply emails — these emails are sent to millions of email addresses — that their SMTP and DNS servers effectively get DDoS’ed. They get millions of emails per hour. They run out of disk space. Sendmail fork bombs the box. Basically, it all goes wrong. That’s a topic for another day.
The gang behind this have a huge — almost 50gb — database of UK business contact details. I know this because they left one of the C&C servers without any network security, so I grabbed their wares.
I won’t cover much of what needs to be covered here, I want to focus on a new method they tested around dropping code today. This was done on a very small scale, so let us get out ahead of it.
Enter Dredex — the Microsoft Packager Shell Object abuser
Here’s the latest email attachment they’re testing:
Notice — no macros. This one works even if macros are disabled. Additionally, if you’ve ramped up the security of Office either manually or with the high security templates, it still appears to function on Office 2010 and 2013. In other words, this one is neat. And scary. If from testing our Dridex friends find a high number of people execute the payload, this method is going to be everywhere.
If the user clicks the Excel icon, what actually happens is Microsoft Packager Shell Object fires off Doc_SI2evsbv.vbs, a VBscript which is automatically and silently executed. The script looks like nonsense, to try to evade analysis:
What it actually does is use PowerShell — with a trick which turns off the requirement for code to be digitally signed, if you enabled that protection — to effectively wget an executable payload and run it. Again, all this is silent to the user. To the user, it looks like the Excel file fails to open.
In terms of vendor antivirus detection, I could not find any antivirus product or wider security product which spotted this. Even Palo-Alto Wildfire sandbox failed to spot things, as it couldn’t deal with the XML format of the original Word document, so didn’t scan the file.
You can find information on the dropped payload here, but it’s basically Dridex with some of the recent modification (e.g. analysis evasion steps):
Document 71cf9e03d0a7cde196ac85a1b9c3936bb50b91234af5c044501f30771a3db67b.pdf on DocDroidwww.docdroid.net
How to pro-actively protect yourself
It’s actually very similar to the steps in my Great Olive Oil heist coverage. Here, don’t allow users to download random Windows executables. Also, consider using Microsoft AppLocker (free, all available with easy Group Policy configuration) to disallow random executables in user temp folders. It can also restrict VBscript and PowerShell.
Almost every UK business and government organisation I’ve encountered does not do the above steps.
The authors of Dridex are evolving how the platform delivers to users. They are clearly playing with ways to increase their success rates. The name Dredex actually comes from their Word document today. I’d say Dredex is a credible attempt to reach audiences such as hospitals and government employees (along with anybody else who likes to click buttons in attachments).
The payload has for some time included a UAC bypass method which I’m not sure anybody has yet investigated (well, maybe one person I know..). Yes, that’s right — Dridex can bypass UAC to reach administrator, without a user prompt — but nobody seems to have looked into how it does this yet, and that seems to have been the situation since last year.
Security community — just because this is targeting UK businesses does not mean it’s not worth paying attention. Pay attention. These guys are well financed, terrible spellers, and are performing a massively disruptive, very successful heist of UK businesses. It’s being done in a way which doesn’t impact, say, American or other EU businesses largely. And the targets are very rich (often in many ways!).
Just because CryptoLocker doesn’t appear on screen demanding money, it does not mean we shouldn’t care. This one needs a lot of love.
To call out antivirus providers — please stop saying your product protects against Dridex when they don’t. Detection rates are less than 5%, and have been since this all began. Many of the Office documents have the same basic information in them — authors and such — and yet vendors still aren’t noticing this and adding generic detection. It’s extremely basic stuff, and customers need to start challenging their vendors in this area. If anti-virus vendors can’t even protect against Office documents abusing macros (a technique from the 90s) then anti-virus isn’t dying, it’s the grave their parent companies will live inside.