admin A variant of the notorious Dridex banking malware has set its sights on Apple’s macOS working system utilizing a beforehand undocumented an infection methodology, in keeping with newest analysis.
It has “adopted a brand new method to ship paperwork embedded with malicious macros to customers with out having to fake to be invoices or different business-related recordsdata,” Development Micro researcher Armando Nathaniel Pedragoza said in a technical report.
Dridex, additionally known as Bugat and Cridex, is an data stealer that is identified to reap delicate information from contaminated machines and ship and execute malicious modules. It is attributed to an e-crime group often called Evil Corp (aka Indrik Spider).
The malware can be thought-about to be a successor of Gameover Zeus, itself a follow-up to a different banking trojan known as Zeus. Earlier Dridex campaigns concentrating on Home windows have leveraged macro-enabled Microsoft Excel paperwork despatched by way of phishing emails to deploy the payload.
Development Micro’s evaluation of the Dridex samples entails a Mach-O executable file, the earliest of which was submitted to VirusTotal in April 2019. Since then, 67 extra artifacts have been detected within the wild, some as latest as December 2022.
The artifact, for its half, comprises a malicious embedded doc – first detected manner again in 2015 – that comes with an Auto-Open macro that is routinely run upon opening the doc.
That is achieved by overwriting all “.doc” recordsdata within the present consumer listing (~/Consumer/{consumer identify}) with the malicious code extracted from the Mach-O executable within the type of a hexadecimal dump.
“Whereas the macro function in Microsoft Phrase is disabled by default, the malware will overwrite all of the doc recordsdata for the present consumer, together with the clear recordsdata,” Pedragoza defined. “This makes it tougher for the consumer to find out whether or not the file is malicious because it does not come from an exterior supply.”
The macros included within the overwritten doc are engineered to contact a distant server to retrieve further recordsdata, which features a Home windows executable file that won’t run in macOS, indicating that the assault chain is a piece in progress. The binary, in flip, makes an attempt to obtain the Dridex loader onto the compromised machine.
Whereas paperwork containing booby-trapped macros are usually delivered by way of social engineering assaults, the findings as soon as once more present that Microsoft’s decision to block macros by default has prompted risk actors to refine their ways and discover extra environment friendly strategies of entry.
“At the moment, the influence on macOS customers for this Dridex variant is minimized because the payload is an exe file (and subsequently not appropriate with MacOS environments),” Development Micro stated. “Nevertheless, it nonetheless overwrites doc recordsdata which at the moment are the carriers of Dridex’s malicious macros.”
