Dridex malware may be embedded in XML documents to evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections that could persist undetected in the environment.
YARA Rule
rule Dridex_Trojan_XML : maldoc {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate an XML configuration file for a Windows Update task.
Filter/Exclusion: Exclude files with the .xml extension created by PowerShell scripts in the C:\Windows\Temp directory or by the wuauclt.exe process.
Scenario: A scheduled job runs nightly to export SQL Server logs to an XML file for auditing purposes.
Filter/Exclusion: Exclude files generated by SQL Server processes (sqlservr.exe) in the C:\Program Files\Microsoft SQL Server directory.
Scenario: A DevOps pipeline (e.g., Jenkins or Azure DevOps) generates XML artifacts during a build process.
Filter/Exclusion: Exclude files created by Jenkins or Azure DevOps processes in the build artifact directory (e.g., C:\Jenkins\workspace\ or C:\AzureDevOps\_work\_artifacts\).
Scenario: A system diagnostic tool (e.g., Windows Performance Analyzer or ProcMon) generates XML logs for troubleshooting.
Filter/Exclusion: Exclude files created by perfmon.exe, ProcMon.exe, or wbemtest.exe in the C:\Windows\System32 or C:\Program Files\Windows Performance Toolkit directories.
Scenario: A third-party application (e.g., Microsoft SharePoint or SAP) exports data to XML format as part of its normal operation.
Filter/Exclusion: Exclude files generated by known SharePoint or SAP processes (e.g., w3wp.exe, sap.exe) in their respective installation directories.