This week, I've seen a lot of malicious spam (malspam) pushing Dridex malware. Today's diary, provides a quick rundown on the types of malspam I've seen, and it also covers what an infected Windows host looks like.
I've seen at least 3 different themes used during the first two days of this week from malspam pushing Dridex. One was a voicemail-themed email. Another used a DHL them. Finally, I saw a FedEx-themed email pushing Dridex. See the images below for examples.
An infected Windows host
I infected a lab host using a URL from one of the emails shown above. See images below for details.
URLs from the three email examples:
Zip archive downloaded from link in one of the malspam:
VBS file extracted from the above zip archive:
Initial Dridex DLL seen after running VBS file:
File hashes for Dridex DLLs made persistent during the infection:
Of note, zip archives from links in the emails appeared to be different names/sizes/hashes each time I downloaded one, even if it was from the same link. Also, when a Dridex-infected Windows host is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.
Dridex remains a feature of our threat landscape, and it will likely continue to be, at least in the foreseeable future. Windows 10 hosts that are fully patched and up-to-date have a very low risk of getting infected from Dridex, so it pays to follow best security practices.
Mar 25th 2020
1 month ago