Dridex Malware Targeting macOS Platform Using New Entry Method

By using email attachments that resemble regular documents, a variant of Dridex (aka Bugat and Cridex), which is a banking malware is spreading to others through macOS.

Prior to now, the malware had been targeting Windows, but now it has been switched to attacking macOS instead, as reported by security researchers at Trend Micro.

Dridex Malware Targeting macOS

As one of the most common and dangerous information stealers, Dridex takes advantage of infected machines to access sensitive data, and not only that it also delivers and executes malicious programs. 

A cybercrime group called Evil Corp (aka Indrik Spider) is suspected of being responsible for this attack chain and this malware. As well as being a successor to Gameover Zeus, the malware is a new threat.

As Trend Micro has identified, the Dridex malware sample consists of an executable Mach-O file, which can be run on both macOS and iOS platforms. There are several file extensions they use in their files, including the following:-

• .o
• .dylib
• .bundle

A malicious document is contained in the Mach-O file, and once it is opened by the user, the malicious document runs automatically. Afterward, Microsoft Word files in the macOS user directory are overwritten, and more files are downloaded from a remote server.

In addition, it includes an executable file (.exe) that runs the malware, Dridex. These executables cannot be run on macOS as it is not compatible with the OS. 

It is possible, however, that Mac users could unwittingly infect others with malicious software when their Word files are overwritten by malicious versions when sharing their files over the Internet.

On the compromised machine, the binary attempts to download the Dridex loader which then attempts to execute the infection. A social engineering attack is typically used to deliver documents containing booby-trapped macros.

Recommendations

Dridex malware is not currently a threat to Mac users, so Mac users should be safe for now since the payload is an exe file. But, there is a possibility that this virus may be modified in the future to run on macOS by attackers, so users should stay alert.

• Attachments that are not clearly attributed to their origin should not be opened.
• Identify the sender by checking the sender’s email address and name.
• Use an anti-malware program that is robust.
• With macOS, Apple has included some security tools that are built into the operating system, including Gatekeeper as well as XProtect antivirus software.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book