A variant of the notorious Dridex banking malware has set its sights on Apple’s macOS working system utilizing a beforehand undocumented an infection technique, in response to newest analysis.
It has “adopted a brand new method to ship paperwork embedded with malicious macros to customers with out having to fake to be invoices or different business-related information,” Pattern Micro researcher Armando Nathaniel Pedragoza mentioned in a technical report.
Dridex, additionally known as Bugat and Cridex, is an info stealer that is identified to reap delicate information from contaminated machines and ship and execute malicious modules. It is attributed to an e-crime group generally known as Evil Corp (aka Indrik Spider).
The malware can be thought-about to be a successor of Gameover Zeus, itself a follow-up to a different banking trojan known as Zeus. Earlier Dridex campaigns concentrating on Home windows have leveraged macro-enabled Microsoft Excel paperwork despatched by way of phishing emails to deploy the payload.
Pattern Micro’s evaluation of the Dridex samples entails a Mach-O executable file, the earliest of which was submitted to VirusTotal in April 2019. Since then, 67 extra artifacts have been detected within the wild, some as latest as December 2022.
The artifact, for its half, accommodates a malicious embedded doc – first detected manner again in 2015 – that includes an Auto-Open macro that is robotically run upon opening a Phrase doc.
Moreover, the Mach-O executable is designed to go looking and overwrite all “.doc” information within the present person listing (~/Person/{person identify}) with the malicious macro code copied from the embedded doc within the type of a hexadecimal dump.
“Whereas the macro characteristic in Microsoft Phrase is disabled by default, the malware will overwrite all of the doc information for the present person, together with the clear information,” Pedragoza defined. “This makes it tougher for the person to find out whether or not the file is malicious because it does not come from an exterior supply.”
The macros included within the overwritten doc are engineered to contact a distant server to retrieve extra information, which features a Home windows executable file that won’t run in macOS, indicating that the assault chain could be a piece in progress. The binary, in flip, makes an attempt to obtain the Dridex loader onto the compromised machine.
Whereas paperwork containing booby-trapped macros are sometimes delivered by way of social engineering assaults, the findings as soon as once more present that Microsoft’s choice to dam macros by default has prompted risk actors to refine their ways and discover extra environment friendly strategies of entry.
“Presently, the influence on macOS customers for this Dridex variant is minimized because the payload is an .EXE file (and due to this fact not appropriate with macOS environments),” Pattern Micro mentioned. “Nevertheless, it nonetheless overwrites doc information which at the moment are the carriers of Dridex’s malicious macros.”
