Trojan-Downloader:W97M/Dridex

Classification

Category :

Malware

Type :

Trojan-Downloader

Platform :

W32, W64, W97M

Aliases :

Trojan- Downloader:W97M/Dridex.[variant] , Trojan.Dridex.[variant]

Summary

Trojan-Downloader:W97M/Dridex is a document file containing maliciously crafted macro code that, when allowed to run on a user's machine, drops a file onto the system. The dropped file attempts to contact a remote server.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it. The malicious URL the malware attempts to contact is also automatically blocked.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-Downloader:W97M/Dridex is distributed in a Word document that is sent out as a file attachment to fraudulent emails that appear to be invoice-related. These emails have reportedly misused the names and/or branding of various legitimate companies to appear above-board.

The attached document may use an innocuous file name such as 'Invoice.doc', or by randomly named. In the sample analyzed (SHA1: 8c77475defd5ee97d60727e8faec69b8eafa64fc), the attachment was simply named 'Attachment.doc':

Dridex's booby-trapped Word document

On downloading and opening the attached Word document, the document appears to be a blank page; a security warning appears saying that 'Macros have been disabled' and providing a button for the user to click and 'Enable Content'.

Dridex tricks users into enabling malicious code

If the user does so, Dridex's malicious macro code is allowed to run and a file is immediately and silently dropped in the user's temp folder. In the sample analyzed, the dropped file used the name 'pilorghpt.exe':

Dridex drops a file to the user's temp folder

The dropped file then attempts to contact a remote server and retrieve an executable file to download the infected machine. Note: if DeepGuard is enabled, this file is automatically blocked from accessing the malicious remote site.

Theft of online banking credentials

Since the middle of 2014, Dridex malware have been reported attempting to steal users online banking credentials. The malware monitors the user's web browsing activity for visits to selected banking sites, then tries to capture the login details entered into web forms on these sites. The list of banks targeted are mainly focused on the United Kingdom, the United States and Australia, though activity in other countries have also been noted.

More information about Dridex's online banking phishing email campaigns can be found at:

About macro malware

Macro-based malware used to be far more common in the early 2000s, when macro codes in business-related documents (primarily Microsoft Office documents, due to their overwhelming prevalence) were automatically allowed to run when a document was opened. In response, changes were made to the document programs to disable this functionality and prevent automatic execution of macro code; users now must actively allow such code to run.

Since then, the volume of macro malware has reduced significantly, and currently such malware relies heavily on deceiving the user into unwittingly running the malicious code.