Blogs > Security Research > Malicious Office Files Dropping Kasidet And Dridex

Malicious Office Files Dropping Kasidet And Dridex

By: Nirmal Singh


We have covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past. However, over the past two weeks we are seeing these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems. These malicious Office documents are being spread as an attachment using spear phishing emails as described here. The malicious macro inside the Office document is obfuscated as shown in the code snapshot below -

Macro code

The macro downloads malware payload from the hardcoded URL. We have seen following URLs used in different document payloads that we captured for this campaign:

  •       armandosofsalem[.]com/l9k7hg4/b4387kfd[.]exe
  •       188.226.152[.]172/l9k7hg4/b4387kfd[.]exe

In this blog, we will provide a detailed analysis for the Kasidet variant that we spotted in this campaign.

Kasidet Analysis

Kasidet installs itself into %APPDATA% folder. It creates a new folder there with the name "Y1FeZFVYXllb", this string is hardcoded in the malware. The same string is used as mutex name and in creating a Registry key for ensuring persistence upon system reboot.

AntiVM Check:
Kasidet tries to detect analysis systems during execution through following checks.
Checking Dubugger through "IsDebuggerPresent" and "CheckRemoteDebuggerPresent" Windows APIs. It also checks for the following popular sandbox related strings:



It tries to detect wine software by checking if kernel32.dll is exporting "wine_get_unix_file_name" function or not. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry entries:

"SOFTWARE\\VMware, Inc.\\VMware Tools"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , Vmware"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , "VBOX"
"HARDWARE\\Description\\System", "SystemBiosVersion" , "VBOX"
SOFTWARE\\Oracle\\VirtualBox Guest Additions"
"HARDWARE\\Description\\System", "VideoBiosVersion" , "VIRTUALBOX"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port \Scsi Bus \Target Id \Logical Unit Id ", "Identifier" , "QEMU"
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "QEMU"
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "BOCHS”

Information Stealing capabilities:

Kasidet uses following two methods for stealing information from the victim's machine:

1. Memory Scraping – This allows Kasidet to steal credit card data from the memory of Point-Of-Sale (POS) systems. It scans the memory of all the running processes except the operating system processes listed below:

The stolen information is relayed back to the attacker using following URI format – 

d=1&id=<MachineID>&name=<SystemName>&type=<Track1 or Track2 data>&data=<stolen data>&p=< Process elevation status >

2. Browser Hooking –  This allows Kasidet to steal data from Web browsers. It can inject code into FireFox, Chrome, and Internet Explorer (IE). Browser names are not saved in plain text and instead this variant uses the same hash function as used by Carberp malware to encrypt the browser names. The following APIs are hooked in the web browser for stealing sensitive data: 

HttpSendRequestW , InternetWriteFile

The stolen information is relayed back to the attacker using following URI format – 

ff=1&id=<MachineID>&name=<SystemName>&host=<Base64 encoded host name>&form=< Base64 encoded HTTP header data>&browser=<Browser name>
The information stealing feature of this Kasidet variant were deactivated if the system locale or GeoUserID corresponds to Russia.

Network communication:

Kasidet contains a hardcoded list of Command & Control (C&C) server locations. It uses CryptStringToBinary API call to decrypt the embedded C&C URLs as seen below:

Kasidet C&C list
Upon successful infection, Kasidet sends a HTTP POST request with data “enter=1” (without quotes). All HTTP header fields (User-Agent, Content-type and Cookie) are hard coded in the payload itself.
Kasidet Hardcoded HTTP fields

C&C Server will not return required data if HTTP header fields are different.  The server sends a fake 404 response code and html data stating that page is not found but the C&C commands will be hidden in the response HTML comment tag as seen below:

Kasidet - First communication with C&C

Kasidet will request for additional commands from the C&C server with the following POST request:

Kasidet request for additional commands
Command. It is hardcoded in the malware payload as '1'.
MachineGuid value fetched  from Software\Microsoft\Cryptography registry key
System Name
Operating system version
Process elevation status
Antivirus installed on the infected system
Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4
Flag that indicates whether the system locale and UserGeoID is Russia

Like browser names, all the command strings are also encrypted using a hash function. Below are some of the important commands:

Command Hash
0x0E587A65 (rate <number>)
It is used in sleep function
DDOS using HTTP protocol
Start keylogging and screen capture threads
Download and execute additional component. This file can be DLL, EXE or VBS.
Search for given process name in current running processes in the system
Find given file in system and upload to the server
Drop setting.bin file,  change firewall settings to download and execute plugin component
Execute given command using windows cmd.exe


Malicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.

Analysis by - Abhay Yadav, Avinash Kumar and Nirmal Singh

Suggested Blogs