Analysis of an Undetected Dridex Sample

Analysis of an Undetected Dridex Sample

On the 4th of August one of our customers reported an infection attempt on one of their machines. In their deployment ReaQta-core is used to augment the security of their signature-based enterprise endpoint protection system, so an infection attempt detected by our solution is a sign that the AV missed the threat. Usually this either means that the attack is targeted or that the malware is brand new, let’s find out together the result of our investigation.

The malware il delivered via email, packaged inside a .docm file, this is a screenshot of the original message:

Fake-Email-message

 

The content is written in decent italian, which is not usual for fake emails and it’s related to the shipment of a Volkswagen (or better a: Wolkswagen) car. The spoofed message arrived from a IP address registered in Hyderabad, India: 49.207.180.219. Curiously the anti-spam system didn’t trap it.

Document Analysis

Filename: V__PrintSystem_Ordini_fornitori.docm
Hash-SHA256:D6A51DB77113B46F3569A06C46CA852768AF48A2DF38182DA9F12AAC6253ED6C

This is the internal structure of the document attached to the message:

Document-Structure

Clearly the interesting part is the macro contained inside word/vbaProject.bin:

16a16881-34be-4fec-8842-043d66a098c9

We have uploaded the script carved from the message on this pastebin. There are two functions of particular interest:

  • usZ5pw3gU8: performs the payload download
  • KLJLGBk: writes the payload to disk and executes it, shown below

Obfuscated-code

 

The deobfuscated version of the download function looks like this:

Downloading-function

And this is the deobfuscated version of the write&exec function:

Downloading-function-deobfuscated

They’re pretty straightforward so we can move to the payload.

Payload Analysis

Hash-SHA256: 6457E0B72CC587EB8555086518760CFAE4715488E9C82016588E112623D3C294
CompanyName: Phoenix Labs
FileDescription: Pus
FileVersion: 200, 67, 214, 161
InternalName: Putridity
LegalCopyright: Copyright © 1156
OriginalFilename: Noiseless.exe
ProductName: Plantain Motherland

At the time of discovery the payload was identified only by one antivirus and generically marked as a packed executable.

Vt-detections

Once it is run the malware attempts several times to bypass the UAC and elevate its own privileges. The flow of this privilege escalation is already known and works like this:

  1. Dridex creates a .sdb file that is a compatibility database, copies itself and drops a .bat file (shown below)
  2. sdbinst is called in order to install the compatibility database
  3. iscsicli is called that in turn reads the configuration inside the installed compatibility database that instructs it to run the .bat file
  4. the .bat file runs Dridex with admin privileges bypassing the UAC

Malicious-bat-privilege-escalation

This privilege escalation attempt is correctly identified and reported:

Privilege-escalation

After the elevation the malware copies itself inside %localappdata%\<RANDOM>\<RANDOM2>.exe and starts its life cycle by injecting a thread into explorer.exe.

Code-injection

In our case the C&C address was located at the following IP address in Russia: 194.58.111.157. This sample of Dridex is fully sandbox-aware like other variants already identified, so additional care should be taken when the analysis environment is composed of standard sandboxes or virtual machines.

IOCs

Document SHA-256D6A51DB77113B46F3569A06C46CA852768AF48A2DF38182DA9F12AAC6253ED6C
Dropper SHA-256: 6457E0B72CC587EB8555086518760CFAE4715488E9C82016588E112623D3C294
Dropped .bat SHA-256: 447fd346600351cce82f29068368fa90ddae656ffb5399ffcdf72332c2111072
Dropped .sbt SHA-256: a6e827fbb574a774d4e7a517bd33e34d0c15c5b3914c0e2d87ccbe4223519db2
C&C IP address: 194.58.111.157
Payload address: http://cvaglobal.com (178.250.24.99)
Sender address: 49.207.180.219

 

Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!

ReaQta