Dridex malware pops back up and turns its attention to macOS

A version of nan bad penny that is Dridex, nan general-purpose malware that has been astir for years, now has macOS platforms successful its sights and a caller measurement of delivering malicious macros via documents.

The first sample of this latest version appeared connected Virus Total successful 2019, but detections started to emergence a twelvemonth later and peaked successful December 2022, according to threat researchers astatine Trend Micro.

However, while nan Dridex version has macOS systems successful its sights, nan malicious payload it delivers is simply a Microsoft exe file, which won't tally successful a MacOS environment.

"It is imaginable that nan version we analyzed is still successful nan testing stages and has not yet been afloat converted to activity successful MacOS-based machines," Trend Micro threats expert Armando Nathaniel Pedragoza writes successful a report.

However, Pedragoza noted that nan version overwrites archive files that past transportation Dridex's malicious macros, adding that "it's imaginable that nan threat actors down this version will instrumentality further modifications that will make it compatible pinch MacOS."

Dridex started disconnected arsenic a banking trojan targeting Windows systems and has complete nan years evolved to see information-stealing and botnet capabilities. It besides has shown a batch of resilience. It was fundamentally taken down by nan FBI successful 2015 and 4 years later nan US put a $5 cardinal bounty connected 2 Russian nationals accused of being linked to nan threat group Evil Corp, which was down some Dridex and Zeus, different banking malware.

According to Check Point researchers, Dridex is still astir often utilized arsenic a trojan against financial institutions – it was nan 4th astir prevalent malware version successful 2021, they wrote past twelvemonth – but it continues to evolve, which has helped support it applicable connected nan cyberthreat scene.

For example, a caller version successful September 2021 expanded nan info-stealing capabilities and it was utilized successful a phishing run that delivered malicious Excel documents. Dridex besides was among nan apical malware abusing nan wide Log4j vulnerability successful December 2021, according to Check Point.

"Despite its age, it continues to beryllium used, and successful truth has moreover seen galore enhancements complete nan years," Trend Micro's Pedragoza writes. "Its introduction constituent into nan user's strategy has traditionally been done email attachments, but this blog introduction illustrates that nan malicious actors utilizing Dridex are besides trying to find caller targets and much businesslike methods of entry."

Like different malware, Dridex typically delivers documents that transportation malicious macros to a victim's strategy done email attachments that look for illustration normal archive files, he wrote. The sample Trend Micro investigated comes successful nan Mach entity record format (Mach-o), a record format successful macOS.

Once in, nan payload is assembled and nan malware searches for files pinch .doc extensions and overwrites them pinch nan malicious code. The overwritten codification has a D0CF record format signature, implying it is simply a Microsoft archive file, Pedragoza wrote.

In addition, nan affected .doc files past incorporate macros and suspicious components. One entity includes nan autoopen macro that calls nan malicious functions, which look for illustration normal functions pinch regular names. The malware besides uses basal drawstring encryption to hide nan malicious URL it connects to successful bid to retrieve a file.

• Microsoft closes disconnected 2 avenues of attack: Office macros, RDP brute-forcing
• Cisco's Talos information bods foretell caller activity of Excel Hell
• This Windows worm evolved into slinging ransomware. Here's really to observe it
• Russians charged for $16.8m crypto-coin heist, but traders warned their rate is only arsenic safe arsenic their information is tight

Microsoft past summertime blocked Visual Basic for Applications (VBA) macros successful downloaded Office documents arsenic defaults successful bid to unopen down that way utilized by miscreants. Despite this, nan malware successful nan Dridex version "will overwrite each nan archive files for nan existent user, including nan cleanable files," he wrote. "This makes it much difficult for nan personification to find whether nan record is malicious since it doesn't travel from an outer source."

The Dridex version whitethorn not beryllium a important contiguous threat to macOS systems, but nan capabilities successful it connote that's nan guidance nan operators are headed in.

"Currently, nan effect connected macOS users for this Dridex version is minimized since nan payload is an exe record (and truthful not compatible pinch MacOS environments)," Pedragoza writes. "However, it still overwrites archive files which are now nan carriers of Dridex's malicious macros." ®