Recent research indicates that a variant of the infamous Dridex banking malware has targeted Apple’s macOS operating system using an undocumented infection technique.
Trend Micro researcher Armando Nathaniel Pedragoza stated in a technical report that the group has “adopted a new technique to deliver documents containing malicious macros to users without having to pose as invoices or other business-related files.”
Dridex, also known as Bugat and Cridex, is a known information thief that steals sensitive data from infected machines and executes malicious modules. It is attributed to the cybercrime organization known as Evil Corp. (aka Indrik Spider).
The malware is also regarded as a successor to Gameover Zeus, which was itself a successor to another banking trojan named Zeus. Previous Dridex campaigns targeting Windows utilized macro-enabled Microsoft Excel documents delivered via phishing emails to deliver the payload.
A European and American law enforcement operation disrupted the botnet in October 2015, and a Moldovan man named Andrey Ghinkul was arrested for his role as the botnet’s administrator. A U.S. federal court sentenced Ghinkul to time served in December 2018, following his extradition in February 2016.
In December 2019, the U.S. Treasury Department imposed sanctions on Evil Corp and announced a $5 million reward for the capture of two key members, Maksim Yakubets and Igor Turshev. Dridex has continued to evolve despite these efforts, proving to be a resilient threat.
Trend Micro’s analysis of Dridex samples involves a Mach-O executable file submitted to VirusTotal as early as April 2019. Since then, 67 additional artifacts have been discovered in the wild, the most recent of which was in December 2022.
The artifact, for its part, contains a malicious embedded document that was first discovered in 2015 and contains an Auto-Open macro that is automatically executed when a Word document is opened.
In addition, the Mach-O executable is programmed to search for and replace all “.doc” files in the current user directory (/User/user name) with the malicious macro code copied from the embedded document as a hexadecimal dump.
“Even though the macro feature in Microsoft Word is disabled by default, the malware will overwrite all document files for the current user, including clean files,” explained Pedragoza. Since the file does not originate from an external source, it becomes more difficult for the user to determine whether it is malicious.
The overwritten document contains macros designed to contact a remote server to retrieve additional files, including a Windows executable file that is incompatible with macOS, indicating that the attack chain may still be in development. In turn, the binary attempts to download the Dridex loader onto the compromised system.
Even though documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings demonstrate once again that Microsoft’s decision to block macros by default has prompted threat actors to refine their techniques and find more effective entry points.
“Currently, the impact of this Dridex variant on macOS users is minimal because the payload is an.EXE file, which is incompatible with macOS environments,” Trend Micro stated. However, it continues to overwrite document files that now contain Dridex’s malicious macros.