Malware Dridex Attacks macOS Systems Using a New Infection Method

Recent research indicates that a variant of the infamous Dridex banking malware has targeted Apple’s macOS operating system using an undocumented infection technique.

Trend Micro researcher Armando Nathaniel Pedragoza stated in a technical report that the group has “adopted a new technique to deliver documents containing malicious macros to users without having to pose as invoices or other business-related files.”

Dridex, also known as Bugat and Cridex, is a known information thief that steals sensitive data from infected machines and executes malicious modules. It is attributed to the cybercrime organization known as Evil Corp. (aka Indrik Spider).

The malware is also regarded as a successor to Gameover Zeus, which was itself a successor to another banking trojan named Zeus. Previous Dridex campaigns targeting Windows utilized macro-enabled Microsoft Excel documents delivered via phishing emails to deliver the payload.

A European and American law enforcement operation disrupted the botnet in October 2015, and a Moldovan man named Andrey Ghinkul was arrested for his role as the botnet’s administrator. A U.S. federal court sentenced Ghinkul to time served in December 2018, following his extradition in February 2016.

In December 2019, the U.S. Treasury Department imposed sanctions on Evil Corp and announced a $5 million reward for the capture of two key members, Maksim Yakubets and Igor Turshev. Dridex has continued to evolve despite these efforts, proving to be a resilient threat.

Trend Micro’s analysis of Dridex samples involves a Mach-O executable file submitted to VirusTotal as early as April 2019. Since then, 67 additional artifacts have been discovered in the wild, the most recent of which was in December 2022.

The artifact, for its part, contains a malicious embedded document that was first discovered in 2015 and contains an Auto-Open macro that is automatically executed when a Word document is opened.

In addition, the Mach-O executable is programmed to search for and replace all “.doc” files in the current user directory (/User/user name) with the malicious macro code copied from the embedded document as a hexadecimal dump.

“Even though the macro feature in Microsoft Word is disabled by default, the malware will overwrite all document files for the current user, including clean files,” explained Pedragoza. Since the file does not originate from an external source, it becomes more difficult for the user to determine whether it is malicious.

The overwritten document contains macros designed to contact a remote server to retrieve additional files, including a Windows executable file that is incompatible with macOS, indicating that the attack chain may still be in development. In turn, the binary attempts to download the Dridex loader onto the compromised system.

Even though documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings demonstrate once again that Microsoft’s decision to block macros by default has prompted threat actors to refine their techniques and find more effective entry points.

“Currently, the impact of this Dridex variant on macOS users is minimal because the payload is an.EXE file, which is incompatible with macOS environments,” Trend Micro stated. However, it continues to overwrite document files that now contain Dridex’s malicious macros.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of