New Dridex malware evades detection with AutoClose function

Security experts at Proofpoint have discovered a new phishing campaign that exploits a Dridex variant that evades detection with AutoClose function.

Criminal crews behind the Dridex banking malware are very prolific and are improving the popular malicious code. Recently we have discussed about a Dridex variant which was spread through phishing messages with Microsoft Office documents embedding malicious macros.

The attackers exploited social engineering technique to lure victims into open the document and enable macros, which are disabled by default since the release of Office 2007.

The most recent improvement for the Dridex campaign is the inclusion of an AutoClose VBscript function as evasion technique.

Triggering malicious action when document is closed could be an effective technique against sandbox detection methods.

“The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” states a blog post published by Proofpoint. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.The AutoClose method executes another method, “vhjVHsdfdsf” that includes obfuscated code. XOR’ing the obfuscated code with 0xFF yields powershell downloader code which installs Dridex with botnet ID 120.”

Basically, a sandbox detection mechanism doesn’t implement a feature waiting for the user that closes the document.

 “No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.” Proofpoint reports. 

Dridex belongs to the GameOver Zeus family and operates by injecting code directly in the browsers when victims visit their online banking accounts. The malicious code is used to steal sensitive information, including the banking credentials.

Dridex, like last variants of GameOver Zeus, uses a peer-to-peer architecture and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemesto make the botnet resilient to action of law enforcement.

Pierluigi Paganini

(Security Affairs –  Dridex banking trojan, cybercrime)