security-soup.net Open in urlscan Pro
107.180.58.51  Public Scan

Form analysis
4 forms found in the DOM

POST https://security-soup.net/wp-comments-post.php

<form action="https://security-soup.net/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p>
  <p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
  <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required"></p>
  <p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
  <p class="comment-subscription-form"><input type="checkbox" name="subscribe_comments" id="subscribe_comments" value="subscribe" style="width: auto; -moz-appearance: checkbox; -webkit-appearance: checkbox;"> <label class="subscribe-label"
      id="subscribe-label" for="subscribe_comments">Notify me of follow-up comments by email.</label></p>
  <p class="comment-subscription-form"><input type="checkbox" name="subscribe_blog" id="subscribe_blog" value="subscribe" style="width: auto; -moz-appearance: checkbox; -webkit-appearance: checkbox;"> <label class="subscribe-label"
      id="subscribe-blog-label" for="subscribe_blog">Notify me of new posts by email.</label></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="1529" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8334436f16"></p>
  <p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="1662390553375">
    <script>
      document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
    </script>
  </p>
</form>

GET https://security-soup.net/

<form role="search" method="get" class="search-form" action="https://security-soup.net/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST https://security-soup.net/?na=s

<form method="post" action="https://security-soup.net/?na=s">
  <input type="hidden" name="nr" value="widget"><input type="hidden" name="nlang" value="">
  <div class="tnp-field tnp-field-email"><label for="tnp-email">Email</label>
    <input class="tnp-email" type="email" name="ne" value="" required="">
  </div>
  <div class="tnp-field tnp-field-button"><input class="tnp-submit" type="submit" value="Subscribe">
  </div>
</form>

POST https://security-soup.net/?na=s

<form method="post" action="https://security-soup.net/?na=s">
  <input type="hidden" name="nr" value="widget"><input type="hidden" name="nlang" value="">
  <div class="tnp-field tnp-field-email"><label for="tnp-email">Email</label>
    <input class="tnp-email" type="email" name="ne" value="" required="">
  </div>
  <div class="tnp-field tnp-field-button"><input class="tnp-submit" type="submit" value="Subscribe">
  </div>
</form>

Text Content

Security Soup

infosec news, commentary, and research

 * Home
 * About
 * Resources
 * Knowledge Base
 * Contact

Menu


DOPPELDRIDEX DELIVERED VIA SLACK AND DISCORD

Posted on September 27, 2021September 27, 2021Author adminPosted in Malware
Analysis, ResearchLeave a Reply


SUMMARY

Several recent phishing campaigns have attempted to deliver a variant of the
Dridex banking trojan via payloads staged on Slack and Discord CDNs. This is
DoppelDridex, a modified variant of original Dridex malware. It is operated by
the financially motivate eCrime adversary tracked as DOPPEL SPIDER. Additional
tooling is often delivered as a secondary payload such as Cobalt Strike, which
may be leveraged for further remote access, lateral movement, and preparation
for deployment of Grief ransomware.

The recent campaigns delivering this malware variant have used a technique that
leverages attachments with the Excel 4.0 sheet-style macros to fetch the initial
payload that is hosted on domains of popular messaging CDNs such as
discordapp[.]com and files.slack[.]com. These sites are likely attractive for
threat actors to stage payloads because they may be trusted or allowlisted by
proxies or other network-based controls. The maldocs in the phishing campaigns
are also commonly built in the Microsoft Excel Binary Format (XLSB), which can
cause problems for some tools designed for automated analysis.

In this blog, I will review a recent sample of a DoppelDridex Excel maldoc with
.xlsb extension, and examine some analytical approaches to extracting useful
information in the form of TTPs and IOCs.




DELIVERY AND INFECTION CHAIN

The maldocs in these campaigns are delivered as attachments to emails that
commonly leverage an invoice-based or tax themed social engineering lure. If the
user enables contented, the sheet macro is executed. The macro code is contains
series of two obfuscated HTML documents that execute embedded VBScript to
retrieve the the DoppelDridex payloads from adversary-controlled infrastructure
hosted by the Slack and Discord CDNs. Two files are written to the ProgramData
directory. The first, is an embedded HTML document extracted from the sheet
macro, which is written to ‘C:\ProgramData\[random name].rtf’. and ran via an
mhta.exe process. This .rtf contains an obfuscated array, which decodes to
another HTML document. The second HTML contains lightly obfuscated VBScript and
is responsible for launching a shell object which then loads the main
DoppelDridex payload–ultimately written to disk in ‘C:\ProgramData\defdoc.png’
and then executed by a rundll32.exe process.

DoppelDridex infection chain

 


STATIC SAMPLE ANALYSIS

SHA256: 91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55 (VT
LINK)

The maldoc downloader is an example of an Excel document weaponized with Excel
4.0 (XLM) sheet-style macros–which have been popular for a couple of years now.
This type of macro is an older standard by Microsoft that has been essentially
deprecated in favor of VBA macros. However, all versions of Excel possess the
capability of running Excel 4.0 macros, their use is simply discouraged. So,
Excel 4.0 macros (a 20+ year standard) still work, and their functional use as a
malware loader is intended for defense evasion. With sheet macros, instead of
being contained in the OLE stream of a file, the code strings are simply broken
up in various cells within the spreadsheet.

Hidden Sheet Macros

This can theoretically bypass detection mechanisms that are solely based on
detecting compressed VBA within an OLE stream. When attempting to analyze the
Excel 4.0 macro there are several options for extracting them. You could of
course track the code execution throughout all of the cells, but this is not a
practical as there a several cells that reference each other along with
string/integer manipulation that would need to be processed. In these cases, it
is not worth spending any additional time analyzing the document manually and
automated tools should be used.

Sheet macro cells

I have two go-to tools that do not require opening and interacting with the file
directly. The first I typically try running is the oledump.py tool from Didier
Stevens. This tool has a plugin developed specifically for sheet macros that are
stored in the more common .xls or .xlsx formats, which will recognize these
files and extract the macros from the BIFF record (Binary Interchange File
Format) inside the OLE “Workbook” stream. The BIFF record is a very old file
format that pre-dates the XLS format, and the use of OLE binary data. By using
the BIFF plugin, the tool will then dump all of the BIFF records in the stream.
This works well on XLS format, but appears to be problematic with XLSB.

I also like Decalage‘s olevba for this type of analysis. Both tools are
extremely useful for analyzing the OLE streams in documents weaponized with VBA
macros. In this case, the XLSB caused me some problems with as the file format
being XLSB there are literally no OLE steams to be analyzed, so the macros were
not identified by my preferred tooling.

issues for automated analysis


Unfortunately, since this file is is .xlsb, neither tool are able to recognize
the file or identify the macros. Of course in this case, we have the advantage
of knowing there is definitely a macro contained in the maldoc. There are very
many cell values and/or string values that perform malicious operations when a
victim enables content.

Since both of my tried and true methods were not effective, I turned to
alternative tool from DissectMalware called XLMMacroDeobfuscator. This tool uses
an internal XLM emulator that is able to parse the macros without the need to
actually run the code itself. Below you can see that deobfuscator not only
identifies the macros, but interprets the code execution, effectively stripping
out the obfuscation. This way, the URLs that are hosting the initial
DoppelDridex payload on cdn.discordapp[.]com and files.slack[.]com can be easily
extracted.

succesful extraction with XLMMacroDeobfuscator

The XLMMacroDeobfuscator also identifies another segment of the HTML file that
is of particular interest for the next stage execution. Here, I was able to
identify a large block of integers that had been assigned to an array. The key
to decoding this block is by looping through the array and then subtracting
“1022” from each integer. I was able to get this key from a line below the code
block:

 RKzEcSN = RKzEcSN & Chr(Round(VYITkd - 1022,0))

If you look closely the “VYITkd” variable is iterated through in the array via a
For Each statement.

The good new is that we can use this same logic to decode this array quickly and
safely. I whipped up a quick Python script to handle this operation as this was
likely the fastest and easiest method. The script itself isn’t anything fancy,
but it got the job done. I basically just needed to loop through the array,
subtract “1022”, and then convert the resulting integer value from decimal to
ascii format. Then by joining those results, I was able to get the second layer
of HTML code. The Python script I used to decode the array can be found on my
GitHub here:

decoding the array with Python

The final command here in the stage of the infection chain simply creates a new
object and leverages a wmic process to launch rundll32 which loads the
DoppelDridex DLL, which was previously downloaded as a PNG file. To recap, the
commands that can be leveraged for detection are:

wmic process call create ‘mshta C:\ProgramData\[RANDOM].rtf’
wmic process call create "rundll32.exe C:\\ProgramData\defdoc.png"


More details on this maldoc can be found at the VT link provided above or the
Joe Sandbox report here.


CONCLUSION

DoppelSpider has consistently leveraged both Discord and Slack to deliver
DoppelDridex payloads to victims in recent weeks. Search for the following
Dridex tags on URLhaus, and it is evident that the usage of Slack appears to ebb
and flow, but Discord appears to be a preferred platform to stage their
payloads. If your organization doesn’t require connection to these CDNs, you
might want to consider outright blocking them at your network perimeter if there
is no business justification for those connections. These campaigns also
consistently utilize the XLSB file format that may cause some problems for
automation that relies on identifying malicious content in OLE steams. Despite
this, static analysis can be accomplished with tools that can emulate the macros
in the XLSB document type, which easily extract the embedded IOCs.

Technical controls at the mail gateway typically have very high success rates
for defeating commodity malware delivered in opportunistic campaigns. The EXCEL
4.0/XLM macros in the maldocs with XLSB format may evade detection for similar
reasons as noted above. The TTPs presented here can provide some additional
detection opportunities for a layered defense strategy. I have also presented
some analysis techniques that can be used in response efforts to quickly
identify and extract IOCs when needed. This campaign is a few days old of the
time of this writing, however, the TTPs should still be relevant.


IOCS

Delivery Maldoc SHA256:
91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55

DoppelDridex DLL SHA256:
acbcd5ce1579a43148eee9b867f035cd0bc16f237a4790322467a0dac23ce7c6

DoppelDridex DLL SHA256:
a6aaa4ffb112d78aa20345821920ce6554d96303f7fb3facb5143de348cf2aae

hxxps[:]//cdn.discordapp[.]com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll
hxxps[:]//cdn.discordapp[.]com/attachments/890212086519566369/890212251435425862/0_system.componentmodel.composition.registration.dll.dll
hxxps[:]//cdn.discordapp[.]com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll
hxxps[:]//files.slack[.]com/files-pri/T02F79UM6TT-F02F9AE9ZJ6/download/3_SmiEngine?pub_secret=4e9eeb9360
hxxps[:]//files.slack[.]com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3b
hxxps[:]//files.slack[.]com/files-pri/T02EHM1BB19-F02FFGMT84C/download/6_hpzstw72?pub_secret=009a86b011


REFERENCES

https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

https://redcanary.com/blog/grief-ransomware/

https://www.virustotal.com/gui/file/91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55/community

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xlsb/acc8aa92-1f02-4167-99f5-84f9f676b95a

https://support.microsoft.com/en-us/office/working-with-excel-4-0-macros-ba8924d4-e157-4bb2-8d76-2c07ff02e0b8?ocmsassetid=ha010336614&correlationid=2aa46e64-978f-4d6a-bf7d-950ab12599a1&ui=en-us&rs=en-us&ad=us

https://www.virustotal.com/gui/file/91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55/community

oledump.py

https://www.decalage.info/python/olevba

https://github.com/DissectMalware

https://github.com/DissectMalware/XLMMacroDeobfuscator

https://github.com/Sec-Soup/Python-ToolBox/tree/master/array-decoder_2

https://www.joesandbox.com/analysis/488098/0/html

https://urlhaus.abuse.ch/browse/tag/Dridex/

Tagged: DoppelDridexDoppelSpiderDridexMalware AnalysisPython


POST NAVIGATION

← Weekly News Roundup — September 19 to September 25
Weekly News Roundup — September 26 to October 2 →


LEAVE A REPLY CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.





Δ

Search for:
 * 
 * 
 * 
 * 


NEWSLETTER SIGN-UP

Please submit your email if you would like to receive the Weekly News Roundups
when they are posted.
Email



ARCHIVES

 * September 2022 (1)
 * August 2022 (1)
 * July 2022 (4)
 * June 2022 (2)
 * May 2022 (5)
 * April 2022 (1)
 * March 2022 (5)
 * February 2022 (4)
 * January 2022 (5)
 * December 2021 (2)
 * November 2021 (5)
 * October 2021 (4)
 * September 2021 (6)
 * August 2021 (4)
 * July 2021 (2)
 * June 2021 (3)
 * May 2021 (1)
 * April 2021 (3)
 * March 2021 (4)
 * February 2021 (5)
 * January 2021 (4)
 * December 2020 (3)
 * November 2020 (4)
 * October 2020 (3)
 * September 2020 (5)
 * August 2020 (4)
 * July 2020 (4)
 * June 2020 (3)
 * May 2020 (6)
 * April 2020 (3)
 * March 2020 (3)
 * February 2020 (3)
 * January 2020 (5)
 * December 2019 (5)
 * November 2019 (5)
 * October 2019 (1)
 * September 2019 (7)
 * August 2019 (4)
 * July 2019 (6)
 * June 2019 (5)
 * May 2019 (5)
 * April 2019 (5)
 * March 2019 (6)
 * February 2019 (4)
 * January 2019 (1)


TAGS

ATT&CK (3) Career Development (1) Certificaton (1) CISSP (1) CyberChef (1)
Cyberpolicy (1) Danabot (1) DNS (1) Domain Names (1) DoppelDridex (1)
DoppelSpider (1) Dridex (2) Emotet (11) Excel (2) FlawedAmmyy (1) Government (1)
JavaScript (1) Macros (12) Malware Analysis (17) MITREattack (1) msiexec (1)
News (140) oledump.py (2) olevba (1) Phishing (2) Policy (1) PowerShell (2)
Python (4) regsvr32 (1) Research (10) TLDs (1) Tools (4) Tutorial (6) Valak (1)
VBScript (1) WMI (1) YARA (2)


KNOWLEDGE BASE


TABLE OF CONTENTS

 * Information Security News
 * Technical Research & Blogs
 * Recommended Reading
 * Tools & Platforms
 * Training & Development
 * Article Index


CONTACT

 * Email
   
   ryan@security-soup.net

 * 
 * 
 * 


CONTACT US

 * Email
   
   ryan@security-soup.net


NEWSLETTER SIGN-UP

Please submit your email if you would like to receive the Weekly News Roundups
when they are posted.
Email


September 2022 M T W T F S S  1234 567891011 12131415161718 19202122232425
2627282930  

« Aug    

©2022 Security Soup | Theme by SuperbThemes.Com