Published on June 19, 2020

Dridex: the secret in a PostMessage()

Dridex is a well-known banking malware that has been around since 2014. The developers behind it are always at the forefront of innovation and capable of routinely coming up with new tricks.

Taking a Closer Look

Dridex Phishing Email

In this campaign (still active at the time of writing), Dridex comes packaged as a zip file, pretending to be a DHL Document. As seen above, the lure, directed at, is rather simple and not articulate.

The attached zip file contains a Word Document laced with a malicious macro. Opening the document starts the infection chain, and this is where things get really interesting. To understand the general behavior, we started by running the sample through ReaQta-Hive. This is how it looks like.

Dridex behavior as tracked by ReaQta-Hive
Dridex behavior as tracked by ReaQta-Hive

At first glance, it might not look like much – just another WMI execution via Macro – but behind the scenes, Dridex does something interesting. Though the wmic.exe inspection panel (2) shows an empty command line, and the edge connecting winword.exe to wmic.exe doesn’t show any sign of alteration – like a process impersonation or code injection – the WMI somehow starts rundll32.exe (3). How is this possible?

Winword starting an instance of notepad.exe
Winword starting an instance of notepad

The behavioral tree gives us clues into this. As seen from the above image, we can observe a possible anomaly: an instance of notepad.exe pops-out from winword.exe. By zooming in, we also see that notepad opens a .txt file.

The file being processed by notepad is called may_befall.txt. Analyzing the Macro’s code helps better explain what is happening.

Dridex macro analysis

The macro code is obfuscated along the lines of Pride and Prejudice. The developers probably felt poetic.Well, this kind of obfuscation is also more pleasant to the eye of the analysts, so no critiques here. Below we can see where the .txt file opened by notepad is created.

Dridex macro creating notepad’s text file

This file is actually an xsl containing the code that is used by wmic.exe to download and run its malicious Dridex payload.

XSL payload opened by notepad
XSL payload opened by notepad

Additional Macro code analysis shows what is really happening, it can be summarised in this way:

  1. The macro creates an instance of notepad.exe
  2. By using several calls to PostMessageA(), the macro writes the xsl payload in a .txt file
  3. The macro then renames the .txt to .xsl
  4. wmic.exe is started by the macro
  5. The macro searches the wmic console by calling FindWindowExA() using consolewindowclass
  6. Data to the wmic console is again sent using PostMessageA()
  7. wmic.exe runs a squiblytwo attack
  8. wmic.exe downloads and drops the malicious Dridex dlls
  9. wmic.exe finally runs rundll32.exe

Below is a high level view of the macro’s workflow:

Dridex macro workflow
Dridex macro workflow

The malicious payload is downloaded from 2 URLS:

  1. https[:]//batriaruum[.]com/dasruol.dll
  2. https[:]//penotorc[.]com/topwin.dll
Dridex C2 connection
Dridex C2 connection

We have created a quick PoC video that shows this technique at work.

Why the did the Dridex developers go down this convoluted path to start wmic.exe? There are several possible answers:

  1. To hide the commandline and thus prevent static detection, such as from automated Threat Hunting on commandline parameters.
  2. To prevent triggering SIEM’s correlation rules.
  3. To bypass application whitelisting (AWL) solutions.

Indeed the technique is quite effective to thwart such analyses, as the commandline doesn’t show anything anomalous. Also the payloads are written on disk from a trusted process and this might further prevent detection from certain security solutions.

We notice that Dridex behavior changed between the 5th and the 9th of June 2020. Before these dates Dridex was adopting a much simpler technique where rundll32.exe was launched directly.


Attackers keeps evolving at an incredible pace and they are increasingly more creative in their approach. Behavioral monitoring and continuous endpoint monitoring help organisation remain safe and prevent interruption to business continuity, even when facing new and previously unknown threats or techniques.

With a large part of the workforce now operating from home, traditional enterprise defense systems are less effective and attention must be pointed towards those devices that are targeted more often. Behavioral monitoring, infrastructural modeling and automated threat hunting are some of the most important features provided by ReaQta-Hive. Our security experts can help if you suspect that your infrastructure has been breached or if you need to step up your cyber security posture, contact us to discuss with our security team.

MITRE ATT&CK Techniques

Execution: T1047, T1204, T1064, T1085

Defense Evasion: T1055, T1107, T1064, T1085

C2: T1043

MITRE Techniques used by Dridex
ReaQta-Hive MITRE ATT&CK Mapping