Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Dridex seen spoofing referer from social media and search engine sites such as facebook, twitter,google, msn, bing SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dridex seen spoofing referer from social media and search engine sites such as facebook, twitter,google, msn, bing
Summary Analysis
A few characteristics as seen
[+]Malware download an exe file upon execution
[+]Fixated Mozilla 5.0 User-Agent
[+]Referer sites from various entertainment and search engines
yahoo, google, pinterest, facebook, twitter, bing, aol
[+]Post traffic consist of random character with query length more than 20
[+]Host sites consist of random characters
[+]Multiple IP Direct Hit on HTTP traffic without any HTTP traffic

Detection Measures:
[+]Look for IP Direct hit outbound to multiple IP Address within a short time frame.
[+]Look for referer and POST traffic from blocked sites, most organizations blocked social media, there should not be any referer from sites such as facebook and twitter.

Possible Analysis Pitfall
[+]The Direct IP Communication in the POST infection phase can be overlook by Analyst if they follow the HTTP traffic only.
[+]Referer traffic can be overlook by the analyst if the analyst did not pay attention to the tcp streams.
[+]The windows shell, public key and registry interaction in the TCP streams can be overlooked without spending time to search for it
[+]The windows shell belongs to the exe file being downloaded can only be discovered by running strings against the exe file.

Technical Evidence/Details

Refer to my blog http://blue-monsta-mostropi.blogspot.sg/2015/04/dridex-seen-spoofing-referer-from.html
Mostropi

27 Posts
Mostropi,

Thanks for the information... I've noticed this for a while, but haven't mentioned it in any of my previous blog entries on the subject.

- brad@malware-traffic-analysis.net
Anonymous

-
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!