Technology NewsDridex Malware Now Attacking macOS Systems with Novel Infection...

Dridex Malware Now Attacking macOS Systems with Novel Infection Method


Jan 06, 2023Ravie LakshmananUnited States

Dridex Malware Now Attacking macOS Systems with Novel Infection Method

A variant of the infamous Dridex banking malware has set its sights on Apple’s macOS operating system using a previously undocumented infection method, according to latest research.

It has “adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files,” Trend Micro researcher Armando Nathaniel Pedragoza said in a technical report.

Dridex, also called Bugat and Cridex, is an information stealer that’s known to harvest sensitive data from infected machines and deliver and execute malicious modules. It’s attributed to an e-crime group known as Evil Corp (aka Indrik Spider).

The malware is also considered to be a successor of Gameover Zeus, itself a follow-up to another banking trojan called Zeus. Previous Dridex campaigns targeting Windows have leveraged macro-enabled Microsoft Excel documents sent via phishing emails to deploy the payload.

Trend Micro’s analysis of the Dridex samples involves a Mach-O executable file, the earliest of which was submitted to VirusTotal in April 2019. Since then, 67 more artifacts have been detected in the wild, some as recent as December 2022.

The artifact, for its part, contains a malicious embedded document – first detected way back in 2015 – that incorporates an Auto-Open macro that’s automatically run upon opening the document.


This is achieved by overwriting all “.doc” files in the current user directory (~/User/{user name}) with the malicious code extracted from the Mach-O executable in the form of a hexadecimal dump.

“While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files,” Pedragoza explained. “This makes it more difficult for the user to determine whether the file is malicious since it doesn’t come from an external source.”

The macros included in the overwritten document are engineered to contact a remote server to retrieve additional files, which includes a Windows executable file that will not run in macOS, indicating that the attack chain is a work in progress. The binary, in turn, attempts to download the Dridex loader onto the compromised machine.

While documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings once again show that Microsoft’s decision to block macros by default has prompted threat actors to refine their tactics and find more efficient methods of entry.

“Currently, the impact on macOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments),” Trend Micro said. “However, it still overwrites document files which are now the carriers of Dridex’s malicious macros.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Please enter your comment!
Please enter your name here

Latest news

follow the Galaxy Unpacked 2023 live

We tell you how you can follow the Unpacked 2023 event live and online. join the conversationThe day...

அண்டார்டிகாவில் பிரண்ட் ஐஸ் ஷெல்ஃப் உடைகிறது – சான் பிரான்சிஸ்கோவின் 12 மடங்கு பெரிய பனிப்பாறையை உருவாக்குகிறது

கோப்பர்நிக்கஸ் சென்டினல்-2 செயற்கைக்கோளில் இருந்து எடுக்கப்பட்ட இந்த படங்கள், பிரண்ட் ஐஸ் ஷெல்ஃபில் இருந்து பிரிந்து சென்ற பாரிய பனிக்கட்டியின் முன்னும் பின்னும் இருப்பதைக்...

AMD Radeon 780M – upcoming graphics chip almost as good as NVIDIA GeForce RTX 2050

The first tests of the upcoming system from the red Radeon 780M based on the RDNA 3 architecture...

Experts Warn of ‘Ice Breaker’ Cyberattacks Targeting Gaming and Gambling Industry

Feb 01, 2023Ravie LakshmananGaming / Cyber Attack A new attack campaign has targeted the gaming and gambling sectors since...

The revolution of self-driving vehicles is advancing at a snail’s pace, so investors are spending their money differently

The promise that autonomous vehicles will cover the roads and transform transportation will not come to fruition for...

New Sh1mmer ChromeBook exploit unenrolls managed devices

A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps...

Must read

HIPA – The inflow of working capital in Hungary is at a new peak

The value of projects has never been higher...

Earn Flipkart Supercoins For FREE – Unlimited Free Coins

Flipkart Free Supercoin Loot  SuperCoin Loot – Daily Free...