Dridex Phishing Campaign uses Malicious Word Documents

Published: 2014-12-01
Last Updated: 2014-12-01 17:48:11 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

This is a guest diary submitted by Brad Duncan.

During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex.  Today, we'll examine a wave that occurred approximately 3 weeks ago.  The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware.

Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog [3] and TechHelpList [4] often report on these and other phishing campaigns.

Let's take a closer look at one of the November phishing waves.

On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line.  This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe.

These messages had an HTML component, and some also had an image displaying a written signature.

After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled.  Post-infection traffic began shortly after the download.

Shown above: infection traffic as seen in Wireshark.

Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [5]

Shown above: events from Sguil in Security Onion.

File hashes changed during this wave of emails, indicating at least 3 different Word documents were used.  During this phishing run, Dridex malware came from IP addresses in the block.  The following were samples were found:

Example of malicious Word document from 11 Nov 2014 phishing email:


Example of Dridex malware downloaded by the above Word document:



[1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html
[2] http://www.abuse.ch/?p=8332
[3] http://blog.dynamoo.com/
[4] https://techhelplist.com/index.php/spam-list/
[5] http://doc.emergingthreats.net/2019478

Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

2 comment(s)


A nice write up.

Diary Archives