Dridex – Password Bypass, Extracting Macros, and Rot13

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw. Here’s the phishing email sent to one PhishMe employee:

Figure 1

Figure 1 — Phishing email

 

Figure 1

Figure 2 — Phishing email

When running the file in a VM, we can see that there are Macros enabled. (Figure 3) By clicking alt + f11, we can go into the VBA project, however we can see that this is password protected. (Figure 4)

Figure 3 Macros

Figure 3 — Macros in the phishing document

 

Figure 4

Figure 4 — Macro password protected

By doing some research, a technique is documented on Stack Overflow for breaking the password. The method is documented here.

For the attack, we are going to open the document in notepad++ and look at 3 variables, CMG=, DPB=, and GC=.

Figure 5

Figure 5 — Encrypted values

By creating a new file with a password of say, “12345678”, we are given a pre-defined set of values that will let us extract the data that we’re after. Here’s what our data from our safe file looks like:

Figure 6

Figure 6 — Safe document with the password “12345678”

When breaking these, you’ll want to make sure the length of all of the values are the same, as changing lengths will affect the file size and will break the macro extraction, as seen in Figure 7.

Figure 7

Figure 7 — Incorrect file length

Once we have the lengths the same, copy / paste the CMG, DPB, and GC variables to the file we’re breaking. If all goes well, the macro should still pop up, but when we hit alt + F11, we should see macro code!

Figure 8

Figure 8 — Bypassing the password to get to the macro code

One of the strings in the macro is “uggc://5.196.175.140/squgrcbcquq/fsojhejsy/jlkoqs.rkr”. From a cryptanalysis perspective, there are a few things worth noticing. First, we notice ://, followed by numbers. Since this is normally part of http, we can safely assume that “uggc” is actually “http”. For code breaking, letters spaced closely together also help find more things of interest. The “.rkr” at the end contains the same letter at the beginning and the end, which slightly resembles “.exe”, and it’s something we would expect a macro-laden excel file to be looking for.

Looking further at the code, we can also see that they are mentioning Rot13. It’s also worth noting that their algorithm can handle both upper and lowercase rot13.

Figure 9

Figure 9 — Rot13 algorithm used by the attackers

We can see that once they decode the rot13 text, they will be running it on the command line with the “shell” command from within the VBA code.

Figure 10

Figure 10 — Matching up obfuscated routines

By importing codecs with Python and doing codecs.encode(“data”, “rot_13”), we’re able to decode the rot13 data. Note that when you encode data with rot13, you can rot13 it right back, just like an XOR. Once executed, powershell.exe will attempt to download a file to “%TEMP%\JIOiodfhioIH.exe” and execute it as “Start-Process.”

Figure 11

Figure 11 — IP address and presence of “.exe” for the malware

While the connection keeps timing out when downloading the sample (Figure 12) we can still gather different pieces of intelligence by doing open source intelligence on the IP address.

Figure 12

Figure 12 — Timeouts from the IP address

A few sites that reference the downloading of the executable:

https://urlquery.net/report.php?id=1424108177353

http://urlquery.net/report.php?id=1424165168813

Conrad over at Dynamoo was able to obtain the executable file, and at the time of writing, this sample of Dridex is only flagged by 3 of 57 different AV vendors.

Figure 13

Figure 13 — Poor AV detection for malware samples

While macro attacks used to be a thing of the past, we are starting to see a huge influx of attacks, especially with how easy it is to insert macro code into a document, excel file, and power point. (alt + F11)

While simple, we can use the following Yara rule to look for the magic bytes of an office document and artifacts of the VBA code to create detection:

Figure 14

Figure 14 — Scanning of the Yara rule

The Yara rule can be downloaded from here.

rule PM_Office_with_macro

{

strings:

$header = {d0 cf 11 e0}

$s1 = “\VBA\VBA6\VBE6.DLL” nocase

 

condition:

$header at 0 and $s1

}


Wired: Can Gamification Help Catch Phishing Scams?
Dyre Trojan Expands to Career Website Targets