New RTF macro Malware from the Dridex gang

Anything else that cannot be categorized in the other forums.
BlackSt0rm
Posts: 40
Joined: Tue Mar 22, 2016 6:23 pm
Country: South Africa
Firstname: Branagth

New RTF macro Malware from the Dridex gang

Postby BlackSt0rm » Thu Mar 24, 2016 3:38 pm

In the aftermath of Locky many companies started blocking EXE files directly attached or in ZIP files on their mail gateways. Some moved further and started removing active content in DOC, XLS,  and other MS Office files.  Today an old file type got used again and the virus scanner hit rate was really bad again.

Details

The Malware gets delivered by mails with a RTF file attached (which is often used in the medical area), which e.g. looks like this:

Image

The company exists if you check before opening the attachment. Normally bad RTF files did contain EXE files within them, but not this time. This time it contains highly obfuscated macro code, which MS Word executes. which looks like this:

Code: Select all

Sub Document_Open()
Dim HGFDSXDSFVV
HCFDSFDSFB = "hel"
VDSFCDSJ = "qweee"


Code: Select all

GoTo PQOycAsH
Dim XJwoBhgN As String
Open "JQJLAG.ANU" For Binary As 66


Code: Select all

GoTo pKlIahvf
Dim wVyQZrAv As String
Open "CTTBNH.FEB" For Binary As 18
Put #18, , wVyQZrAv
Close #18
pKlIahvf:


Code: Select all

Put #66, , XJwoBhgN
...


which then did use

Code: Select all

WScript.exe

to download a file from

Code: Select all

http://wrkstn09.PEORIASENIORBAND.COM/dana/home.php


other researchers report followingURLs:

Code: Select all

http://connect.businesshelpa-z.com/dana/home.php
http://wrkstn09.satbootcampaz.com/dana/home.php


The file is called

Code: Select all

fuckyourself.ass

which is in reality a EXE file, which contains the Malware itself. Uploading this (we’re one of the first it seems ) to Virustotal showed that only 2 virus scanner detected the Malware:

Image

Some hours later and after others saw the file also in the wild and as we reported the file to virus vendors it looks a little bit better, but not good – for the dropper 8/56:

Image

and for the malware itself 10/56:

Image

I normally don’t write about single viruses, but this one is a show case for some opinions I’ve for some time now.

  • Forget about normal virus detections – sure keep it on Windows system but don’t count on it.
  • You really need to implemented procedures as described in this early blog post.
  • It gets more and more important to implement a sand-boxing technology, where all your files which get to you’re company from the internet gets executed / opened. And this means every file .. not only executables. There are also sand boxing technologies that run on premise or in an European data center.
  • Bigger companies can mitigate that problem easier, the problem child are home users and small companies.

I don’t have a good solutions for home users so far … maybe someone knows something that I could recommend the Windows home users I know.

Source:

Code: Select all

http://robert.penz.name/1306/new-rtf-macro-malware-from-the-dridex-gang/
Is there any other kind of St0rm than Black?

Return to “Other”

Who is online

Users browsing this forum: No registered users and 2 guests