A phishing campaign is detected in which a malicious Microsoft Excel document delivered as an email attachment was spreading a new variant of Dridex. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.
The email was disguised as a payment request email with a fake Excel invoice file attached. If a victim double-clicks the attached file, Microsoft Office Excel opens it. Microsoft Excel displays a yellow bar with a Security Warning message, which means the opened file contains risky active content like a VBA Macro. Once the victim hits the “Enable Content” button, however, the risky content is loaded and even executed automatically. The Excel document deliberately shows a vague invoice in the file to drive the victim to click the button to get a clearer look at the invoice.
This file contains a malicious Macro (VBA code) that can be executed in two ways. The first is by clicking the green “All-Open and pay” button to execute the malicious VBA code. The other way is when a Layout event occurs, it has a private Formsa_Layout() function to handle such an event that executes the malicious VBA code. Such a Layout event occurs many times while the victim is working on the file.The Dridex developer puts all of its malicious work in the function DllRegisterServer(), which can be thought of as the Main() function to other normal processes.
Many anti-analysis techniques are observed in the core Dridex to prevent its code from being analyzed.