macOS malware Dridex infects Apple users’ documents

With its exe file as payload, Dridex cannot do much there yet. However, the malware is spreading via macOS.



The Dridex malware is constantly evolving and is now infecting documents on macOS systems with malicious macros for the first time. And even though the tool cannot yet cause any major damage under the Apple operating system, the latest variant clearly shows the direction in which the development is heading.

Source: Elchinator / Pixabay

Dridex malware contaminates documents on macOS systems for the first time

The Dridex malware, which has been known for years, has appeared in a new variant and is targeting macOS. It has an exe file as its payload, which is typical for Windows environments and cannot be run on Apple’s operating system.

However, according to a report by Trend Micro security researcher Armando Nathaniel Pedragoza, it is possible that the malware is in a testing phase and therefore not yet fully prepared for use on macOS-based computers. Nevertheless, he said, the tool can already add malicious macros to documents.

Deployment on macOS is a logical progression for such a widespread malware

According to The Register, Dridex began as a banking Trojan. However, over time, its creators developed the tool further. Now, for example, it can also tap user data and add additional resources to a botnet.

The FBI actually put an end to the malware in 2015, and four years later, it identified the Russian hacker group Evil Corp as its developers. But since then, Dridex has come back more often and is now one of the Trojans used most often to attack financial institutions.

The constant development of the malware, which includes its use on macOS, ensures that it remains relevant in the hacking scene. In December 2021, Dridex was even among the top tools that made use of the widespread Log4j vulnerability. In the previous year, it was the fourth-most commonly used malware.

Not a major issue for Apple users (yet).

Typically, Dridex finds its way onto its victims’ systems via documents with malicious macros attached to emails. In the case that Pedragoza looked at, the malware used the Mach-O file format, which is common on macOS.

The malware then searches for Word documents with the “.doc extension” and attaches further malicious code there in the form of macros. The original Office file is completely overwritten in the process. Dridex disguises the URL from which it retrieves additional malicious data by encrypting strings.

“Currently, the impact of this Dridex variant on macOS users is minimal, as the payload is an exe file,” the security researcher warns in his report on the malware. But the malicious macros in documents that have been overwritten can easily spread to other systems and keep the infection going.

And further modifications for better compatibility with the Apple operating system are also to be expected for future versions of the malware.