ISC Stormcast For Wednesday, March 25th 2020 https://isc.sans.edu/podcastdetail.html?id=6924

Recent Dridex activity

Published: 2020-03-25
Last Updated: 2020-03-25 00:42:16 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

This week, I've seen a lot of malicious spam (malspam) pushing Dridex malware.  Today's diary, provides a quick rundown on the types of malspam I've seen, and it also covers what an infected Windows host looks like.

The malspam

I've seen at least 3 different themes used during the first two days of this week from malspam pushing Dridex.  One was a voicemail-themed email.  Another used a DHL them.  Finally, I saw a FedEx-themed email pushing Dridex.  See the images below for examples.


Shown above:  Malspam using a voicemail theme to push Dridex.


Shown above:  Malspam using a DHL them to push Dridex.


Shown above:  Malspam using a FedEx theme to push Dridex.

An infected Windows host

I infected a lab host using a URL from one of the emails shown above.  See images below for details.


Shown above:  Clicking on the link in the Fedex email.


Shown above:  Extracting a VBS file from the downloaded zip archive.


Shown above:  Running the VBS file drops the initial DLL for Dridex.


Shown above:  Dridex persistence mechanism 1 of 3--a scheduled task.


Shown above:  Dridex persistence mechanism 2 of 3--a regisrty update.


Shown above:  Dridex persistence mechanism 2 of 3--a shorVcut in the Windows startup menu.

Indicators

URLs from the three email examples:

  • hxxp://bienvenidosnewyork[.]com/app.php
  • hxxp://photoflip[.]co[.]in/lndex.php
  • hxxp://everestedu[.]org/lndex.php

Zip archive downloaded from link in one of the malspam:

VBS file extracted from the above zip archive:

Initial Dridex DLL seen after running VBS file:

File hashes for Dridex DLLs made persistent during the infection:

Final notes

Of note, zip archives from links in the emails appeared to be different names/sizes/hashes each time I downloaded one, even if it was from the same link.  Also, when a Dridex-infected Windows host is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.

Dridex remains a feature of our threat landscape, and it will likely continue to be, at least in the foreseeable future.  Windows 10 hosts that are fully patched and up-to-date have a very low risk of getting infected from Dridex, so it pays to follow best security practices.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: dll Dridex malspam vbs zip
0 comment(s)

Comments


Diary Archives