Dridex Banking Trojan Technical Report

Home  /  Yazılar

Dridex Banking Trojan Technical Report

TECHNICAL ANALYSIS REPORT
DRIDEX BANKING TROJAN
INDEX

There are many droppers and auxiliary malware DLL’s belonging to the Dridex malware of the banking type. All indicators are analyzed in detail.

Introduction

The Dridex malware of the banking type, first appeared in 2012. The harmful that generally continues its progress through Word macros; In 2015, it caused damage of £ 20 million in the UK and $ 10 million in the United States. In early 2016, it added crypto wallets to its target list.

Banking type Dridex malware, which is also known as Bugat and Cridex, continues its activities. This example of the malware, which most recently appeared on 13.05.2020, aims to spread the system using a different technique.

It is observed that the Dridex malware of Banking type, which steals user information over the DLL’s that are encoded in HTA files that it drops through C&C servers, targets Pakistan in this attack campaign.

The document that appears to belong to Islamabad Air University in the PDF document presented to the end user is an example of a phishing attack made only to occupy the user and carry out harmful operations in the background.

Preview

The Banking type Dridex malware, which maintains its classical spreading in this version with the mail phishing method, appears in a compressed archive. There are 3 files in the archive.

Dosya ZIP Arşivi
MD5 865e7c8013537414b97749e7a160a94e
SHA1 13a5ec9f6a7b0765071e43c81b7fbfdb312ab3e4
Dosya Policy Guidelines for Online Classess.pdf.Ink
MD5 865e7c8013537414b97749e7a160a94e
SHA1 13a5ec9f6a7b0765071e43c81b7fbfdb312ab3e4

Content named Policy Guidelines for Online Classess.pdf.Ink is actually shortcut. PDF document view is given. Looking at the link to the shortcut, it appears that this shortcut is actually a dropper.

%windir%\system32\cftmo.exe

hxxp://www.au-edu.km01s[.]net/images/E2BC769A/16914/11662/84c7b244/3387c59

It downloads the file named 3387c59 from the website linked to the shortcut. When the content of the file is examined, it is seen that the file is of HTA type and contains obfuscated Javascript codes.

Codes must be deobfuscated in order to analyze harmful codes. The code snippet of the 3387c59 file deobfuscate is given below.

3387c59.hta File Analysis
File 3387c89.hta
MD5 30dd4284f82c7833034b586ba2d216a0
SHA1 1a048b8dd14765ff1e368f871879a623b8a96de7

The purpose of this file has been revealed after the deobfuscate of the malicious code contained in the script tags of HTML. Important data encrypt with the RC4 algorithm is decoded with the “411402620” RC4 key held in the keeee variable.

The harmful file that contains two data that is encrypt; The “da” variable contains the gzip archive and the “so” variable contains a malicious DLL. There is a real, harmless PDF document in the Gzip archive that gives the malware a trojan feature.

File Policy Guidelines for Online Classess.pdf
MD5 8ae9cc797c2f3ec3eca3b54a2e70edf1
SHA1 6c878840bd899936974a0364a2297b658beaeda9

In the malicious file, malicious processes are carried out over ActiveX objects. First, malware learns the version of the .NET library on the system.

After receiving the version information, Shell adjusts its environment to this version and avoids the problems that may occur depending on the version during the operation of the DLL.

By creating a WMI counter over Windows Management Instrumentation (WMI), it enumerates the AV products existing on the system and after storing the result in the variable “x“, the existing in the “aURL” variable;

hxxp://www.au-edu.km01s[.]net/plugins/16914/11662/true/true/

at the end of the domain.

After these processes, it runs the malicious DLL in the “so” variable via ActiveX objects and window.eval() function on the system memory.

After all these operations, the 3389c59 file, which exhibits dropper features, follows the DLL’s Work method in the “so” variable, respectively; It sends the .hta file on the remote server, the malicious URL it plans to send AV products, the variable that holds the gzip archive with a harmless PDF document, and the name of this PDF as a parameter.

LinkZip.dll Analysis
File LinkZip.dll
MD5 7923c5065578d3dbda91646a04e189ec
SHA1 3c8891b8ff1645e22c9baf3668210a178f4125dd

After solving the DLL containing 3387c59.hta harmful file named “so” variable, 4 parameters were passed to Work method. If we look at the parameters that the Work method takes;

First, it extracts the PDF document from the gzip archive and displays it to the user. In the background, it downloads another HTA file from the remote server. It runs this HTA file it downloaded with mshta.exe.

General capabilities of the malicious DLL named LinkZip.dll;

  • Decompress the compressed archive,
  • Execute the PDF document,
  • Make a Web request,
  • Download malicious file on the remote server and execute it.

After running the HTA file downloaded from the remote server with mshta.exe, it deletes this malicious file from the system..

File.hta Analysis
File File.hta
MD5 c04acf0e0938c22ca75219aedc19c9a1
SHA1 a05e701fd029a0641331256b3dbf7f992ec6e838

File.hta is a file containing JavaScript codes such as 3387c59.hta file and can be run by “mshta.exe”, it also contains ActiveX objects.

There are basically 3 variables that are important. When deobfuscate the obfuscated code , it is confirmed that there are data encoded with Base64 in the variables “so“, “x” and “y“. Likewise, it is seen that the data is encrypt with RC4 algorithm.

When variables containing Base64 are decode, a DLL file with a magic header “.ttf” in the “so” variable appears, and gzip archives in the variables “x” and “y”. There are DLL files in these archives.

It is noteworthy that the “.ttf” file assigned to the “So” variable has an MZ header when examined with tools such as HexEditor. When the file is edited, it is seen that there is a DLL file.

It writes the DLL in the variable “so” directly to the memory and runs it with the window.eval() function.

When the code block is examined in detail, “throw 1;” The command allows the catch block to work with the exception. In this block;

“x”,”y”,“202/4zFPhSyGnJ0DzFatyW3RjZujTsdrKx4qPkcJGupk/16914/11662/df36c81″

by sending it as a parameter, the Work method in the “so” variable is called.

So Variable = ”StInstaller.dll”

X Variable = ”Duser.dll”

Y Variable = “SystemApp.dll”

StInstaller.dll Analysis
File StInstaller.dll
MD5 567f6f3e4ae4869b9d9954770774aa9f
SHA1 85ac80dc5ecd66316cc33ff5abef89062439d112

The Work() function seen in the file.hta file appears in the StInstaller.dll file. If we look at the parameters it takes;

Some variables are obfuscated in the DLL. After the deobfuscate process, the variables and their contents are as in the image below;

If there is a “%windir%\\syswow64\\” path on the system, it copies rekeywiz.exe to that directory via this path. If it is not found, it copies rekeywiz.exe to the related directory via “%windir%\\system32\\”. Rekeywiz.exe, is a legal system application.

This DLL, adds a record named font2 to the Software\\Microsoft\\Windows\\ CurrentVersion\\Run registry path and sets its value as the path to rekeywiz.exe so that rekeywiz.exe can run again each time the system is restarted.

A randomly named .tmp file is created. SystemApp.dll is placed in this xxxxx.tmp file by passing the encode function and saved in the directory.

The nameof the variable defined as Duser.dll stands out as “hijackDllname”. Duser.dll and rekeywiz.exe.config files are also saved in the directory and the program starts. The content of the Rekeywiz.exe.config file is the string located in the manifestContent variable.

It can be listed as the general capabilities of the malicious DLL named StInstaller.dll:

  • To be able to decompress,
  • To encode the data,
  • Search within a data,
  • Generate tokens,
  • Ability to substitute another data for a specified data,
  • Ability to add value to the registry.
Duser.dll Analysis
File GZIP Archive
MD5 e3fdf458ab16294f9e041be46600af6b
SHA1 d281b1a596807c5fea1e7d581a8a49ed6dcbcac3
File Duser.dll
MD5 1538ebe93228d9b2246eedfd54c58179
SHA1 7a3471aa9f65b5b765393a319268f7dcb9865091

It is a legal DLL file normally used by Rekeywiz.exe application. However, the malware creates a malicious Duser.dll in the directory where it copies Rekeywiz.exe. Then, it does DLL Hijacking.

The purpose of the DLL file is to run it by resolving another file. The Duser.dll we received via file.hta looks like the following because it is not processed;

The view of Duser.dll traded on StInstaller.dll is;

It appears that the xxxxx.tmp file is resolved and loaded to run later. When we pass the TMP file through the same processes, an MZ header appears.

It is seen that the Up() method in the DLL file calls the Program.Start() method of the DLL coming from the resolved TMP file.

The values encoded with Base64 are decoded as “Program” and “Start”, respectively.

There are two options for calling the Up() method. The first one will call the Up() method directly. (We couldn’t see that use in the malicious DLL) Or it will call a method that calls the Up() method inside. However, as these options are not possible in this piece of code, the rekeywiz.exe program will need to access the Up() method with one of these two methods.

When we examine the methods in the original Duser.dll, it is seen that it is a common function with our malicious DLL.

The InitGadgets() method is a common method included in both DLL files. It is seen that this method in the malicios DLL calls the Up() method.

In this case, when rekeywiz.exe calls the InitGadgets() method in Duser.dll, Dll Hijacking will do the same function in the malicious DLL and the SystemApp.dll file will be run.

SystemApp.dll Analysis
File GZIP Archive
MD5 14bb9075be2ffd50e625882e446e9c42
SHA1 f9c3796d3b8f7d1d97dce17755f0c4e215e6b9b1
File SystemApp.dll
MD5 3695c1dca8b1cf368abad3f42f3efc16
SHA1 ceee8c9f929ba3de6badd0bfffd86655c4d7b999

The Rekeywiz.exe program calls the Up() method after the InitGadgets() function is called after hijacking with Duser.dll. Then, as a result of resolving the TMP file which is created and encoded randomly, it enters the Program.Start() method of SystemApp.dll.

After the Start() method, it jumps to the LoadSetting() method. There are two sources embedded inside. The first is a settings file named Default, and the second is a JSON framework for the .NET environment named Newton_Json. In the LoadSettings() method, it decrypts the source named Default in the sources and defines the setting variables.

After the setting variables are defined, after decoding the font2 file in the SettingsFilePath variable, it redefines the setting variables according to the data in the font2 file. After this second definition, the state of the variables is as follows.

Among the setting variables, there are values such as file extensions to be targeted and the maximum size of the files to be targeted.

After completely defining its settings, download data from remote server. Then it is given as the first parameter to the Load() method of the Loader class in Duser.dll after decoding data and it send the values of the setting variables as the second parameter.

It is understood that the data coming from the remote server is a DLL or EXE written in .NET environment. The data encoded with Base64 equal to the “Program” string. Sends the setting variables as parameters to the Program constructor in the data downloaded from the remote server. As a result, some operations are carried out according to the return value.

The point to note here is that data from the remote server is a memory stream. According to the return value as a result of malicious memory flow the following can happen;

  • Re-define setting variables,
  • Writing the system information containing critical information such as user authorization information, driver information, installed applications on the system to a random named file with the “.sif” extension,
  • Writing important information about the disks on the system such as free space, used space, disk type to a random file with the extension “.flc” and keeping the list of files containing the target extensions in the setting file,
  • Writing the full path of files with target extensions to a random named file with the “.fls” extension,
  • Change the address of the C&C server and define a new C&C server,
  • Optionally updating information such as target file extensions and maximum file size to target.

Memory flow data from the C&C server that is run, an important malicious command control system that commands malicious software and possibly contains an upload mechanism.

After collecting and setting information on the system, uploads all the critical data in the directory AppData\Roaming\font2Dat to the remote server. It deletes the data collected as a result of the attack, which achieved its purpose after the installation.

In addition, it frequently uses WMI queries to learn the information of users on the system, AV products on the system, processor information, network card information, etc. It writes all the queried and collected information to JSON files and uses Newtonsoft JSON framework for these operations.

Banking type Dridex malicious , which has succeeded as a result of its harmful behavior, frees up system resources in order not to get critical information such as malicious code in the memory flow.

Network Actions

The Dridex malware in the banking type communicates with two malicious servers.

Firstly it drops malicious HTA files from hxxp://www.au-edu.km01s[.]net domain name with 185[.]163.45.199 IP adrdress. It also sends the list of AV products on the system to this malicious server.

The malicious domain name appears to be similar to the domain of Islamabad Air University, and is also understood to be a phishing attack.

It transmits the information collected from the system with TLS protocol encrypted to the hxxps://kat0x[.]net domain with 46[.]30.189.44 IP addresses, which is the command and control server.

Solution Proposals

There are ways to protect yourself from Dridex Malware of banking type:

  • The use of up-to-date, reliable antivirus sotware in systems,
  • Carefull attention to the incoming mails, not opening the attachments unconcsciously without analyzing them,
  • Spam mails ignored and e-mail filtering configurations doing correctly,
  • Operating system updates instantly,
  • Monitoring of the processes to be performed by Mshta.exe,
  • Filtering malicious connections on the network, IP addresses and C&C servers.
YARA Rule

import “hash”

rule FirstFile{

meta:

description=”3387c59.hta”

 

strings:

$str1 = “ActiveXObject” fullword

$str2 = “keeee” fullword

$str3 = “folder.Name”

$str4 = “J2KeVEs1AdB5FYChHmogtujc6rG8PZfaITqL9WMw3DvSQOn047yizXpxbRNlUk+/=”

$str5 = “shells.Environment”

$command1 = “window.eval”

$command2 = “window.close”

 

 

condition:

hash.md5(0, filesize) == “30dd4284f82c7833034b586ba2d216a0” or all of them

 

 

}

rule LinkZip{

meta:

description = “LinkZip.dll”

 

strings:

$name = “LinkZip.dll”

$str1 = “DownloadData”

$str2 = “downloadData”

$str3 = “mshta.exe”

$str4 = “avUrl” fullword

$str5 = “finalUrl” fullword

$userAgent = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36”

 

condition:

hash.md5(0, filesize) == “7923c5065578d3dbda91646a04e189ec” or all of them and uint16(0x4C7) == 0x5A4D

 

}

 

rule FileHTA{

meta:

description = “file.hta”

 

strings:

$str1 = “ActiveXObject” fullword

$str2 = “keeee” fullword

$str3 = “folder.Name” fullword

$str4 = “J2KeVEs1AdB5FYChHmogtujc6rG8PZfaITqL9WMw3DvSQOn047yizXpxbRNlUk+/=”

$str5 = “shells.Environment”

$command1 = “window.eval”

$command2 = “window.close”

 

condition:

hash.md5(0, filesize) == “c04acf0e0938c22ca75219aedc19c9a1” or all of them

 

}

rule StInstaller{

meta:

description= “StInstaller.dll”

 

strings:

$path1=”%windir%\\syswow64\\”

$path2=”%windir%\\system32\\”

$dllname=”Duser.dll” fullword

$exename=”rekeywiz.exe” fullword

$reg = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” fullword

$ext1 = “.tmp”

$ext2 = “.config”

 

condition:

hash.md5(0,filesize) == “567f6f3e4ae4869b9d9954770774aa9f” or all of them

}

rule Duser{

meta:

description = “DUser.dll”

 

strings:

$base1 = “UHJvZ3JhbQ==”

$base2 = “U3RhcnQ=”

$name = “DUSER.dll”

$a = { ?? ?? ?? ?? ?? ?? ?? 2e 74 6d 70 }

 

condition:

hash.md5(0,filesize) == “1538ebe93228d9b2246eedfd54c58179” or (all of them and uint16(0) == 0x5A4D)

}

rule SystemApp{

meta:

description = “SystemApp.dll”

 

strings:

$name = “SystemApp.dll”

$url = “https://kat0x.net/202/4zFPhSyGnJ0DzFatyW3RjZujTsdrKx4qPkcJGupk/16914/11662/df36c81” fullword

$ext1 = “.err”

$ext2 = “.sif”

$ext3 = “.flc”

$ext4 = “.fls”

$reg = “Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall” fullword

$str1 = “DUSER”

$str2 = “POST”

$str3 = “gzip”

$json = “Newtonsoft.Json.dll” fullword

 

condition:

hash.md5(0,filesize) == “3695c1dca8b1cf368abad3f42f3efc16” or all of them

}

rule main {

 

condition:

 

FirstFile or LinkZip or FileHTA or StInstaller or Duser or SystemApp

 

}