A New Dridex Variant Wraps Itself in Import Tariff Scheme

What's happening?

• The campaign is delivering a new variant of the infamous Dridex malware.
• After infection, the new variant collects sensitive information, including credentials, and delivers malicious modules such as dll.
• Moreover, this new variant is using anti-analysis techniques to avoid detection by security solutions.

How does the new variant work?

• If a recipient proceeds despite the warning, an auto-run function called Workbook_Open() in the Macro (VBA) is automatically called when the Excel file is opened by the recipient.
• The Excel document uses the auto-run Macro (VBA) and Excel 4.0 Macro.
• Additionally, the malicious code inside the Excel document is executed to eventually extract an HTML application file. 
• In the final stage, the Rundll32[.]exe file is used to execute the downloaded Dridex payload file.
• Experts say the new Dridex variant is using the same anti-analysis techniques used in another variant in the previous year.

Decoding the anti-analysis techniques

• All the APIs are hidden and can be identified by hash code of their names. 
• Whole constant strings are encrypted inside memory and decrypted just before being used.
• Some APIs are intentionally crafted in a way to raise an exception (0x80000003). After that, it catches the exception in the exception handler function to call the API.

Conclusion